Thank to David Gerard who pointed me in this direction as there appears to be a Qnap NAS malware floating around that is installing Python 3.9 and Chia_full_node and farming scripts. It seems to use UPnP to open up port 32440 in your firewall if enabled, and then likely provides a remote shell enabling the malicious actor to configure Chia and begin plotting out your disks. None of this is confirmed yet, but it is a VERY good idea to inspect your home network and disable UPnP unless you are strictly using it, and if you are make sure it is disabled on all devices that do not need unfiltered inbound network access from the internet.
This is very reminiscent to malicious GPU / CPU mining software that will install itself as a drive-by, or even used to run in ads on malicious web pages. Because Chia has such a larger footprint, grabbing some cycles while a user visits your website on their home PC wouldn’t do anything. But taking over a users NAS and plotting out the remaining space? That could create a significant number of nodes for a malicious activity and might even pull a block if it goes unnoticed. While we have been active in discussing Chia security issues here, this is a new one as far as I know.
More likely is that these initial exploits are a test run for when pools launch, as the likelihood of getting paid off this arrangement is currently quite low due to the netspace growth. But with enough nodes in a pool you might be able to generate some relatively significant revenue off this.