The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.