Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. They’re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that’s connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it.
First, maybe release this to relevant manufacturers first? Second, though thumb drives have always had the potential to have something nasty on them, clearly residing in the firmware makes this nasty much more malicious, harder to detect and to remove. Third imagine the ways a "thumb drive" could be disguised as not a thumb drive, (USB charger, etc.).