alt Hacker NewsNope. Those on pinned versions don't get the malware.
You would have to publish the infected package first to infect others who haven't pinned their dependencies. With a simple pip install -U, and if the dependency is not pinned, then they will get the vulnerable version.
I think it was a jab at the statement "if I pin the dep, I am safe". How do you know your current code is not compromised? No one reads all the code they run, anyway.