An important update (and apology) on our PoisonSeed blog

Expel issued a correction to a prior blog post that had claimed an attacker circumvented FIDO passkey cross-device authentication. Their re-analysis shows the attacker successfully phished a password and triggered a QR-initiated FIDO flow, but all MFA challenges failed and the attacker was not granted access; Expel apologizes, thanks community responders, and commits to stronger technical review and evidence transparency.