[matrixgard]

The reverse SSH tunnel detail is what makes this genuinely alarming — not the crypto mining itself, but that outbound-initiated channels effectively null out your ingress controls. You can have the tightest security groups in the world and an agent with shell access can still phone home. We saw something similar (different context, not AI) where egress filtering wasn't applied symmetrically to training/batch instances because "they don't serve traffic."

The GPU compute diversion is also underreported as a cost signal. If you have any agentic workloads, you probably want anomaly detection on GPU utilization per job, not just billing alerts — by the time your bill spikes, the damage is already days old.

What runtime isolation are you seeing orgs actually deploy for agent workloads? gVisor, Firecracker, something else? Curious whether this is pushing people toward stronger VM-level boundaries or if network egress controls are the more practical mitigation.