The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.

Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link

What version?