keypair / Gitkraken vulnerability (CVE-2021-41117)

In 2021 it was discovered that a Javascript package called "keypair" created two bugs that led to a weak random number generator. A check for the presence of the Javascript random function always failed and a fallback random number generator was used. The fallback had a string conversion bug that led to limited random inputs (effectively the values 0-9 per byte, with 0 being the most likely value).

The "keypair" package was used by the software Gitkraken to generate SSH keys used to access code hosting plattforms like Github.

Due to the nature of this bug it is not possible to generate all keys produced by a vulnerable keypair version. The vulnerable library generates certain keys with different probabilities, our blocklist contains all keys created with a high probability.