Is it common that an unlocked wallet is sitting on someone's machine? I would have assumed that you would put a SSH like passphrase onto the thing. Or are they stealing browser cookies that have a login to Coinbase or similar?

From the screenshots they are collecting the information from browser addon wallets which are usually less secure hot wallets.

I don’t know about Coinbase but Kraken has protections such that even if you had a cookie you couldn’t withdraw funds, in addition to security key/OTP support. Apparently people still don’t understand hardware wallets either. Nobody deserves to be a victim of theft but this is pure negligence. Don’t handle crypto if you don’t know how to handle crypto.