GitHub has blocked SSH keys for users of Git clients that use the keypair JavaScript library to generate keys. For example, the keys of the GitKraken Git client were blocked. The vulnerability leads to the formation of predictable RSA keys due to an error that significantly reduces the quality of entropy when generating a random sequence for keys. The issue has been fixed in the releases of keypair 1.0.4 and GitKraken 8.0.1.
The reason for the vulnerability was the use of the call "b.putByte(String.fromCharCode(next & 0xFF))" in the process of generating the key, despite the fact that the fromCharCode method was called again in the putByte method. A double call fromCharCode ("String.fromCharCode( String.fromCharCode(next & 0xFF) )") resulted in most of the entropy buffer being filled with zeros, i.e. the key was generated on the basis of "random" data, 97% consisting of zeros.
Source: opennet.ru