If Charlie was a security researcher and SemiAccurate was a well-regarded security firm, I would not expect details or cross-references or mentions on security lists. Charlie is not a security researcher, he's a journalist, and SemiAccurate is the tech equivalent of a supermarket tabloid. He is not a credible primary source for anything security-related, particularly given SemiAccurate's reputation for publishing rumors as facts.

None of that means he's necessarily wrong, just that you should be very careful about believing his claims without supporting evidence. A lot of people here on HN have thought that a remote ME exploit was only a matter of time, so an article claiming to validate that belief will not get as much skepticism as it should.