RC4's vulnerabilities arise from biases in which part of the algorithm?

The vulnerabilities come from biases in the keystream produced by RC4, especially the initial bytes. In a stream cipher like RC4, security depends on the keystream being indistinguishable from random. But the RC4 keystream has non-uniformities—certain values appear more often, particularly in the early output bytes after key setup. Since ciphertext is produced by XORing the plaintext with this biased keystream, those biases let an attacker infer information about the plaintext, most notably for the first few bytes of the message. The issue isn’t that RC4 reveals plaintext directly, or that it’s inherently fast, or that it provides perfect secrecy; it’s that the biased keystream leaks partial plaintext information, especially at the start.