GitHub security update: revoking weakly-generated SSH keys

On September 28, 2021, GitHub was informed by Axosoft of a vulnerability in the Git GUI client GitKraken, which led to the generation of weak SSH keys due to a flaw in the dependency called "keypair." This issue affected GitKraken versions 7.6.x, 7.7.x, and 8.0.0, prompting GitHub to revoke all vulnerable keys generated by these versions and implement measures to prevent the addition of new weak keys. GitHub also investigated other third-party clients possibly using the same vulnerable library and revoked any potentially weak keys out of caution, notifying affected users directly. The situation was not due to any compromise or data breach at GitHub but was linked to the library used for SSH key generation. GitHub recommends users review and rotate their SSH keys if they might be affected and thanks Axosoft and Julian Gruber for their collaboration in addressing the issue. Mike Hanley, GitHub's Chief Security Officer, penned the announcement, bringing his extensive experience in security to the fore.