It's not a new problem. There are many companies trying to solve it. A lot of the products seem to be "we'll tell you if you're using something that has had a reported issue", but that's a bit late (better than nothing, but late).
It's not an easy problem to solve (you want to be able to read your API keys when you need to!) How are you tackling it?
Refer to what CISA recommends. We track project dependencies and look for material changes between releases. We eliminate API keys whenever possible, and rely on trust relationships instead. We use runtime security to detect abnormal activity end to end from dev env to prod. We monitor role activity to alert on abnormal API request sources.
It’s not about perfection, but about building a system, monitoring and measuring it, and improving it when possible.