Yubikeys are intended to block phishing. This attack requires physical access.
IE: If you're "worth it" to target IRL, you shouldn't use a Yubikey to begin with. Someone can swap your spare and you won't realize it until too late.
The last time Infineon chips had a crypto-breaking bug, Estonians got new ID cards for free. Meanwhile my less than two months old Yubikey 4 stopped working as a hardware attested PIV smartcard.
Software that keeps revocation lists (or whatever they are called) up to date stopped accepting keys generated on that hardware. The Yubikey itself continued to work just fine, but I had to switch to externally generated keys.
Oh, so I just need to update the firmware on the physical hardware token.
> YubiKey Firmware is Not Upgradable
https://support.yubico.com/hc/en-us/articles/360013708760-Yu...
L. So, Yubico is providing _free_ replacements, right?
I have a handful of these Yubikeys…