Their description of the second incident includes this paragraph:
This was accomplished by targeting the DevOps engineer’s home computer and exploiting a vulnerable third-party media software package, which enabled remote code execution capability and allowed the threat actor to implant keylogger malware. The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the DevOps engineer’s LastPass corporate vault.
My current employer prohibits accessing the corporate network from a personal computer, or doing much in the way of personal activity on the corporate laptop.
When I travel, my computer backpack is heavier since it has both my work laptop and my personal laptop, but stories of breaches like this are among the reasons I’m quite happy to keep my personal digital world physically separated from my work digital world!