The png didn't do shit. Users where compromised by a malicious extension.
Steganagrophy (hiding data in a png) is a non issue and cannot do anything independently. It is also impossible to really stop.
Which is probably why the cybersecurity news cycle likes to pretend that steganagrophy is a risk on it's own, so that they can sell you products to stop this "theat".
I hate the clickbait title is what I'm trying to say. But the writeup is pretty interesting.
Although the real solution to this problem is probably only letting users install known safe extensions from an allowlist, instead of "pay us for consulting!".