A HERMES.md commit message sent Claude Code usage to the wrong $200 meter
A Claude Code user traced $200.98 in unexpected extra-usage charges to the exact case-sensitive text HERMES.md in recent Git commit messages. His Max plan still showed more than 86 percent of its weekly capacity available, but affected projects stopped working after the separate credit balance ran out. Anthropic said an overactive fraud and third-party-harness detector had misclassified requests because Claude Code pulled Git history into its system prompt. The company fixed the bug, refunded affected users, and gave the reporter another $200 in credits after automated support initially refused compensation.
Incident Details
Tech Stack
References
The plan had capacity; the other meter was empty
On April 25, 2026, a Claude Code user named Sasha reported that his projects had stopped working with an error saying he was out of extra usage. He subscribed to Anthropic's Max 20x plan, which cost $200 per month, and his dashboard showed that more than 86 percent of the included weekly capacity remained. Another $200.98 had nevertheless disappeared from a separate pool of pay-as-you-go credits.
The service was not merely displaying the wrong number. Once the extra credits were depleted, requests in several projects failed even though the subscription quota was mostly unused. The error did not explain why those requests had been routed away from the plan allowance.
Sasha reduced the problem until the trigger fit in one commit message: HERMES.md. If that exact case-sensitive string appeared in recent Git history, Claude Code requests were billed to extra usage. Lowercase hermes.md, HERMES without the extension, HERMES.txt, AGENTS.md, and README.md did not trigger the behavior. A file named HERMES.md on disk also worked normally when the commit message was clean.
This was one thoroughly documented account. Anthropic later referred to affected users in the plural and said it was contacting them, but it did not publish a count or total charge. The confirmed blast radius should therefore remain one user, $200.98, and several unusable projects, with an acknowledged but unquantified wider group.
A fresh repository reproduced the billing route
The public issue included a short reproduction requiring no existing project files. Sasha initialized a new Git repository, committed a test file with a message containing HERMES.md, then asked Claude Code to say hello. The request failed because the extra-usage balance was empty. Repeating the setup with lowercase hermes.md returned the requested greeting through the plan quota.
He also cloned affected repositories, tested branches without history, and isolated individual commit strings. An orphan branch, which starts without the earlier commit history, worked. That comparison narrowed the trigger to text in recent commits rather than project code, a local configuration file, or the mere presence of a similarly named document.
Git commit messages are descriptive metadata written by developers. They record why a change was made and often mention filenames. Nobody reading add HERMES.md would expect the text to select a billing system. Yet Claude Code included recent Git information in its system prompt, the hidden instruction and context sent to the model with each request.
Anti-abuse detection interpreted project history as identity evidence
Anthropic staff said the fraud-prevention system had become overactive. A Claude Code developer gave a more specific explanation: the bug involved third-party-harness detection and the way Git status was pulled into the system prompt. A harness is the software around a model that assembles context, supplies tools, and sends requests. Anthropic was trying to distinguish ordinary Claude Code use from traffic routed through other agent software.
That detector apparently treated the name HERMES.md as evidence about how the request originated. Hermes is also the name of agent software, so a legitimate repository mentioning a file with that name could resemble a third-party setup to a classifier looking at raw prompt content. The result was a content-based billing decision: ordinary project history changed which quota paid for the request.
Anti-fraud systems are allowed to inspect signals. Their actions still need a reliable connection to the behavior being classified. A filename in a commit message says something about the repository. It does not prove that a subscriber is bypassing product rules, and it certainly does not authorize silent use of a different payment balance.
Automated support completed the first half of the diagnosis
GIGAZINE reported that Anthropic's support assistant acknowledged incorrect billing routing but initially said compensation was unavailable for technical errors that caused service degradation or misbilling. That response combined recognition of the company's mistake with a refusal to return the money consumed by it.
A human response later said the bug had been fixed. Anthropic announced that affected users would receive refunds and another month of credits; for Sasha, the additional credit was $200. GIGAZINE reported that the refund arrived on April 30 after the issue gained wider attention.
Remediation matters here. The reporter ultimately received the consumed value back plus additional credit, and the routing defect was corrected. The delay and initial refusal still belong to the incident because the support path was another automated system applying a general policy to an abnormal, documented charge.
Billing decisions need inputs customers can inspect
Usage products commonly maintain several balances: subscription allowance, prepaid overage credits, and sometimes limits associated with a particular product or access route. Customers need to know which balance a request will consume before the request runs. If an anti-abuse system changes that route, the interface should identify the classification, pause billable use when confidence is low, and offer a prompt review path.
Content from a working directory is especially poor evidence for charging. Repository text can come from coworkers, dependencies, templates, cloned projects, or old commits. A system prompt may need some of that material to help the model work, but downstream services should not treat every token inside it as an authenticated statement about the customer's account or client software.
The bug also demonstrates why exact reproductions are valuable in billing disputes. "My credits vanished" is difficult to investigate. Two empty repositories differing only by the capitalization of one commit-message string left little room for a generic usage explanation. Sasha's binary search turned an opaque charge into a deterministic defect, even if getting the money back still required several more days and a public audience.
Discussion