I haven’t seen anything on here yet about this certain issue, and I wanted to let as many people know I can about this new very, very clever method exploiters are using to trick developers into installing malicious plugins. I just had a run-in with this method a few hours ago as backdoors kept appearing in my game on studio launch. I did some digging, and it was due to a malicious plugin “Weld Plugin” created by @ Ozzypig (Supposedly!).
Exploiters create groups and literally name them the handle of “trusted” individuals (e.g. “@ clonetrooper1019”), and upload malicious plugins under that group. There is literally no way to tell if the creator tag is a players actual @ handle or a groups name. Be careful out there!
tl;dr people can create groups that have the name of peoples @ handles (e.g. a group named “@ Ozzypig”) and publish malicious plugins under that group as to have the creator tag on the plugins site in catalog say it was created by that certain person, when in fact its just the groups name.