Which versions of pi-cord are malicious?

The following PyPI versions of pi-cord are flagged malicious: 1.0.0. Treat any of these as compromised.

How do I remediate pi-cord if I installed it?

Remove pi-cord from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.

I already installed pi-cord — how do I know if it already compromised me?

If pi-cord was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.

Is pi-cord part of a known attack campaign?

Yes — pi-cord is associated with the RLMA-2024-04247, RLUA-2024-08675 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

How do I find pi-cord across my projects, lockfiles, and CI pipelines?

Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pi-cord (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pi-cord across your stack and pipelines.

Malicious package

pi-cordPyPI

Malicious code in pi-cord (PyPI) Remove it immediately and rotate any exposed credentials.

MAL-2024-5465

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

pip uninstall pi-cord

Malicious versions

1 flagged

1.0.0

Indicators of compromise (SHA-256)

f8ec4feb554f0855586f16f3b0b58126872ff9002e9a06929707d95d30624d6d

0f4aa34511466559dd634acacd4b608622276bba3c60eb211f6308b0d9b10fed

Detection & response playbook

Malicious package

Find it
Scan your lockfiles (package-lock.json, pnpm-lock.yaml, yarn.lock, requirements.txt, poetry.lock, etc.) and build artifacts for pi-cord (version 1.0.0). O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, flagging pi-cord across your stack and pipelines.
If you installed it — respond
Remove pi-cord from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound activity or persistence.
Did it already run?
If pi-cord was ever installed, its post-install/runtime payload may have already executed. O3's L7 egress monitoring and runtime eBPF sensors detect the credential exfiltration or command-and-control callback after install and block the malicious outbound channel, so you catch and contain the actual compromise — not just the presence of the package.
How O3 protects you
O3 blocks pi-cord before install through its supply-chain scanner, and if it has already run, detects and severs the exfiltration or C2 callback at runtime through L7 egress monitoring and eBPF.

Frequently asked questions

No. pi-cord on PyPI has been identified as a malicious package (version 1.0.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

RLMA-2024-04247RLUA-2024-08675

Credits

ReversingLabs · finder

Detect & block this

O3 blocks pi-cord-class packages before install and in CI — and if it already ran, its runtime egress monitoring catches the malicious outbound activity and severs the channel.

Malware detection Runtime egress monitoring

pi-cordPyPI

Malicious versions

Indicators of compromise (SHA-256)

Detection & response playbook

Find it

If you installed it — respond

Did it already run?

How O3 protects you

Frequently asked questions

Campaign

Credits

Detect & block this