theverge[.]com/23308394/usb-rubber-ducky-review-hack5-defcon-duckyscript
This is maybe the most prominent example -- the USB Rubber Ducky is a $60 hacking tool -- but most any USB stick is susceptible to having its firmware altered... guides & tools are somewhat readily available. In fact, it's not a terribly bad idea [no, you're not getting too paranoid] to thoroughly check the packaging on anything with a USB plug to make sure it's both sealed and matches the packaging the manufacturer displays online. Anything with its own firmware [software installed on a memory chip] can be hacked, and someone somewhere has probably done it in the past. [It can be a problem currently with used motherboards for example.]
Many [most?] computers work with all sorts of devices connected via USB, relying on the USB device to tell it what it is. The Rubber Ducky tells the computer it's a keyboard, so the computer listens for whatever keys you type, only in this case it's malware sending the keystrokes.
Anyway the moral is if someone hands you a USB device, especially a USB stick, Decline, and if you see a USB stick lying around, leave it alone, or toss it in the trash to protect the next person who's not as careful as you are.