On May 29, developer Andrej Acevski of the open-source project management tool Kaneo discovered that someone had abused its cloud-hosted version (cloud.kaneo.app) to send 14,520 phishing invitation emails in less than 3 hours. The attacker bulk-registered 942 accounts using a temporary email service, creating one workspace per account with a name crafted as phishing bait (e.g., „
Paul Brown from BANKING OPERATION invited you to join 3.4090_BTC receipt”), and then used Kaneo’s workspace invitation feature to send roughly 100 invites each to a pre-prepared list of recipients. Since the invitation emails were sent via Acevski’s Resend domain, which had valid DKIM authentication, every email carried a legitimate sender signature. Recipients who clicked „Accept” were redirected to a craftum.io phishing link with a tracking suffix. The attack ended around noon Beijing time. Resend’s rate detection automatically shut it down about 90 minutes after the attack began, and Acevski only learned about it when he received a quota exhaustion alert afterward.
In a blog post, Acevski noted that the attack didn’t exploit any vulnerabilities — the attacker simply „used the tool as it was intended.” The root cause is the fundamentally different threat models between self-hosted and cloud-hosted versions: in the self-hosted version, the operator and users are the same people, so there is no motive for abuse; in the cloud version, the operator bears full reputation responsibility for all emails sent through the platform by any user. Cleanup took only about an hour — a single Postgres transaction banned 942 accounts, deleted 947 workspaces, and cascaded the removal of 14,533 invitations. Subsequent hardening measures (signup CAPTCHA, disposable email blocking, invitation rate limiting, workspace name filtering, and disabling invitations from guest accounts) took about a day — none of these changes are being pushed to self-hosted users. The post sparked extensive discussion on r/selfhosted, where developers reflected on the essential difference in trust boundaries between cloud-hosted and self-hosted software.