It’s not worrying, it’s becoming outrageously bad and hostile:

The client attestation system implies they’re fighting API abuse through Claude Code. The NATIVE_CLIENT_ATTESTATION feature lets Bun’s HTTP stack overwrite the cch=00000 placeholder with a computed hash, essentially a client authenticity check. This is a DRM-like mechanism to verify requests come from legitimate Claude Code installs, not from scripts or modified clients. It tells you that unauthorized API access through fake Claude Code clients is a real enough problem that they built cryptographic attestation into the binary.

from here: https://redlib.catsarch.com/r/ClaudeAI/comments/1s8ifm6/claude_code_source_code_has_been_leaked_via_a_map/odhuc7b/?context=3#odhuc7b (sorry, I’m too lazy searching for the actual original)