Chinese security company 360 recently leaked a private key for a wildcard web certificate for *.myclaw.360.cn. The key was shipped as part of their 360 Claw software (apparently some AI frontend).
The certificate has now been revoked. I checked their software for private keys, and, appart from the key for that cert, I found another private key (1024 bit RSA) embedded in the file chrome.dll (it appears their software bundles some fork of chromium, the "original" chrome.dll contains, however, no such key).
I dont know what that other key does. Given it's 1024 bit RSA, it cannot be used for a valid Web certificate (those must be >=2048 bit).

Both keys are now detected by badkeys.

In the recently released badkeys v0.0.17, a new check for an RSA vulnerability has been added: RSA keys with small private d values, also known as Wiener's attack: https://badkeys.info/docs/smalld.html

RSA keys have a public exponent e and a private exponent d. Usually, we set the public exponent to a small value (these days, largely standardized to e=65537), which automatically means the private value d is about as large as the public modulus. d/e are interexchangable, and it's possible to create insecure keys with small d and large e value. Wiener's attack (first published 1989) allows breaking such keys.

This weakness can be entirely prevented if one simply does not support keys with large public e values. This is, e.g., the case in the go crypto library, see, e.g., this old (2012) blogpost by @agl https://www.imperialviolet.org/2012/03/16/rsae.html

Even more secure is to fix the e value to its common default (e=65537). This is small enough to be still fast, and it avoids both attacks relying on large e (Wiener's attack) and very small e values like 3 (Bleichenbacher's Signature Forgery/BERserk, Coppersmith/Håstad attack).

Is anyone aware of an OCR tool that is reliable enough for non-text content like base64 that it can decode something like this?

(Context is something that was just posted on the dev-security-policy list and I currently can't judge the severity, but it happens every now and then that I see private or public keys in images that I'd like to get OCRed, source of this one: https://archive.ph/u6U2p )

Key serialization formats can be - uh - the source of "interesting" issues. It appears the whole internet technically uses DKIM the wrong way, but it's more or less the fault of the standard.
DKIM uses public keys in DNS, usually RSA, but how are they encoded? There are two common RSA public key formats, SPKI and PKCS#1.
The DKIM spec RFC 6376 says this should be an RSAPublicKey and references RFC 3447, which is PKCS #1. So it's PKCS #1, right?
Well... there's an "INFORMATIVE" part of the RFC that lists openssl commands to encode a key, with an example. And that's... the openssl command to generate SPKI. The example shown is also an SPKI key.

The Internet has voted with its feet and everyone uses SPKI. From previous research, I had a collection of ~35k DKIM keys, and there are zero PKCS#1 keys in there.

This appears to be known and is mentioned in the errata.

It's quite an unfortunate situation. Technically, everyone's doing it wrong. However, if you would happen to be so brave to try to do it right, you'll probably just run into problems. While I haven't tested it, my best guess is that you will almost certianly find some receivers accepting PKCS#1 and others not. (Many crypto library APIs autodetect the format, but given *noone* is using PKCS#1, I'm sure there will be ones only accepting SPKI.)