>Well since Yubikey's can't update their firmware everything with a firmware below 5.7 is e-waste I guess?

You guess wrong (also "ewaste" is such a stupid term but whatever). As the article says, it's of moderate impact and depends on the user's threat model. The vast majority of us do not face advanced persistent individually targeted threats at all, let alone ones with a physical component (ie, breaking into our houses or offices or the like). And we don't have any significant counter measures already (how many of you would actually 100% of the time notice if a sophisticated team broke into a trusted space of yours and installed covert cameras aimed at various places you use your trusted computers, such that they could grab passwords and PINs, then steal keys?). Rather, the point of adding an HSM second factor, particularly one with an operator presence feature, is to help raise the difficulty of everything from phishing to security failures on the remote side (since unlike with passwords the remote side only has public info) to local malware.

This certainly isn't ideal, and some businesses will be paying attention, but any weakness that starts with "you must physically steal a specific item from somebody" already eliminates the overwhelming supermajority of threats most of us are concerned with.

This attack doesn't allow anyone to, e.g., bypass any PINs you may have set on your yubikey. It allows an attacker to extract your keys if and only if they can already use your yubikey.

From what I can tell, the risk is:

1. Someone takes your yubikey without your knowledge.

2. They manage to disassemble it, extract your key, and put it back together.

3. They secretly return your yubikey.

4. You continue to use your yubikey, unaware of the fact that it has been compromised.