Andrej Acevski discovered his open source project management tool Kaneo was used to send phishing emails to over 14,000 people. Attackers exploited the open signup process to create 942 workspaces with phishing email subjects, then sent invitations from his verified Resend domain. The sophisticated attack occurred over three hours while the developer slept, using disposable email providers to mask their activity and following a template with rotating bank names and crypto amounts.

The attacker timed the attack for 4am UTC on a Thursday, sending approximately 100 invitations per workspace before Resend's rate detection stopped them. Acevski responded by revoking Resend keys, deleting bot accounts and workspaces, and implementing security measures including captcha, rate limits, and workspace name filtering. The cleanup took about an hour; the hardening took a full day.

The incident exposed a critical security blind spot in open source projects with cloud versions. Unlike self-hosted instances where operator and user are aligned, the cloud version represents a different threat model where the operator vouches for all user activity to external systems. Acevski now recognizes his cloud tier is 'infrastructure I'm running on behalf of strangers' with corresponding responsibilities, not just a convenience for testing.