Yubikey vulnerability found, but don’t lose sleep over it. Nobody is going through all this effort to get into your GMail if you’re not a VIP.
Also, it requires you to be separated from your yubikey for like 10 hours. Or having it swapped out for that amount of time. It’s a hell of a covert ops thing to do.