The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.
Well, technically bun doesnt _prevent_ hooks. It just requires opting into them. And even that also includes a default set of pre-whitelisted packages. A much better system, but not perfect.
And actually just looking this up, it appears claude-code itself was just added to that whitelist : D
The exploit is a postinstall hook, so CC users would be unaffected. Claude Code itself is most likely built with bun and not npm, so the CC developers would also be immune.
Well, technically bun doesnt _prevent_ hooks. It just requires opting into them. And even that also includes a default set of pre-whitelisted packages. A much better system, but not perfect.
And actually just looking this up, it appears claude-code itself was just added to that whitelist : D
https://github.com/oven-sh/bun/commit/5c59842f78880a8b5d9c2e...
Oh right, I just saw https://news.ycombinator.com/item?id=47582220 will update the post with this link
Just to corroborate sibling comments, I checked my Claude Code VM (native install) for the IOC and it does not appear infected.
What version?
1.13.6, so should not be affected by the malware