A dev laptop running Ubuntu 24.04 got hit by a classic PostgreSQL cryptojacking attack while on public Wi-Fi (port 5432 exposed, UFW temporarily off). Detection started with fan noise → btop tree view revealed 70-99% CPU under the postgres user. The recovery was fully scripted, transparent, and driven by a local coding agent (Codex-Max-5.2) turned into a paranoid remediation specialist via a custom AGENTS.md directive. Highlights:

Generated dozens of timestamped audit/cleanup scripts Captured rogue sshd binary → 24/64 detections on VT as Linux trojan/rootkit hider Ended with UFW timed rules, auditd watches, LAN-only services

Full play-by-play, verbatim scripts, and takeaways — no hype, just level zero truth.

https://open.substack.com/pub/layerzero0/p/surviving-a-2025-...

Would love feedback from anyone who's dealt with Postgres miners or AI-assisted IR.