Click bait title. The article itself says theoretically a browser addon can replace the user's public key during passkey setup. There is no hacking of the key itself. Rather it is the insecure world of browser addons that makes using a browser as the mechanism to forward the user's public passkey that is the potential problem.

Edit: grammar "The is" == "There is"