As the person who's forum post is quoted in this latest Reg article, I think I might be suffering from a different, possibly older problem.
Several of the obfuscated .sh files I found were dated back in August. When the NAS was available on the internet. It stopped being directly visible around October, instead only allowing access via myqnapcloud.
Another interesting thing is that I wasnt running the latest firmware, but I'm pretty sure I would have checked it over the last few months via the admin web console. Along with this, the auto update check told me there was no new firmware available, when actually there was. I manually downloaded and updated the firmware the other day. Didn't fix the "wrong architecture" errors though.
Somebody from qnap support has apparently "delete[d] malware in the NAS QTS system" so I'll see later tonight if it's any healthier.
It is a few years old now but is apparently supported until some time in 2020. I just don't know if I trust it anymore. The whole point of having it was to get access to my stuff from anywhere with the minimum of hassle.