USB sticks that can use firmware-level filesystem tables and/or multiple host-visible partitions, pretend to be a hub that is hosting multiple devices (HID mouse+keyboard, etc) in addition to an autorun, etc.

Not only can you trivially make such a thing with an arduino but there are also some commercial USB sticks which have a persistent "background" filesystem that cannot be formatted away.

Anything that is run automatically in the background, like the thumbnail services.

However, this is rather theoretical. All that common malware does is hide/delete all your existing directories, and put EXEs (or LNKs) with folder icons and the names of the original directories in their place. Plus maybe some autorun tricks.

For a fake HID device, you'd see cmd windows or whatever else it uses popping up. Other data hidden on it isn't a problem by itself. It can only passively sit there without some other attack vector.

Right, but the GP described an USB stick that they own. If you know that it's just an USB stick none of that applies.

Autorun hasn't been a thing in ages.

Except that is not true, there's BadUSB (https://github.com/brandonlw/Psychson), which updates the firmware of some common USB drives to make it do whatever your want (such as emulating a mouse/keyboard).

Stuxnet

Patched