You report a compromised key — with your confirmation the scenario deactivates it in Paddle, audits the permissions, applies a restriction and reports to Telegram.