How do I know the YubiKey in front of me is actually a YubiKey from Yubico, and not from EvilCo?
People have been here before, and Yubico has helped them support page
They tell you to go to the verification page: Verification Page.
Does it look like someone opened it up and put in a MITM microcontroller? If so, don't use it.
You can use the official Yubico OTP Verification page to verify your device (although this does require you to insert an unverified HID into your computer).
For the YubiKeys with NFC, there's a slightly easier solution that works 'in the box' so to speak.
You can scan the NFC with your phone through the sealed package and it will generate an NDEF payload containing an unused AES OTP token at the end of a verification url.
In other words, you scan one and it takes you to a yubico website saying it is legit, which is a decent verification.
You can use the Yubico WebAuthN to verify your YubiKey
Goto the WebAuthN Yubico Demo Site and go through the flow of registering your device.
You should see a "Registration Completed!" page and something like this image which shows that Yubico Verified your
device. Don't be afraid to be curious and click on the "Show Technical Details" dropdown menu to learn more about what's
happening 'under the covers'.
Each YubiKey comes "pre-loaded from factory with a key and cert signed by Yubico"source
You can use this to attest that the key was generated in a Yubico factory.
For a detailed guide on the inner-workings of this attestation, review this blog post created from the magic of CCCAmp 2019.