By ByteBot
GitHub has banned security researcher Nightmare-Eclipse — using the platform its parent company Microsoft owns — after the researcher released six unpatched Windows zero-day exploits in retaliation for an alleged broken agreement and unpaid bug bounty. Three of those exploits are actively weaponized in enterprise intrusions right now. GitLab suspended the researcher’s migrated account three days later. The researcher is threatening a “bone shattering drop” on July 14. Microsoft’s response has managed to make a bad situation worse.
What the Exploits Actually Do
This isn’t theoretical. Huntress Labs confirmed active exploitation in mid-April 2026, two weeks after the first disclosure. CISA added the exploits to its Known Exploited Vulnerabilities catalog on April 22. The attack chain is clean and effective.
BlueHammer (CVE-2026-33825, patched in April) exploits a race condition in Windows Defender’s update workflow. Because Defender runs as SYSTEM, attackers redirect its file reads to extract SAM database contents — giving them NTLM hashes and a SYSTEM shell. No kernel exploit. No memory corruption. Just a clever abuse of how Defender interacts with the file system.
RedSun, still unpatched, follows the same pattern through a different code path targeting TieringEngineService. It works on fully patched Windows 10, 11, and Server 2019 even after the April Patch Tuesday updates. As one security firm’s analysis put it: “RedSun does not require a new vulnerability. It requires Defender to be running and doing its job.”
UnDefend completes the chain. It progressively starves Defender of threat intelligence without triggering alerts, degrading endpoint protection while the endpoint appears healthy. Three more exploits — YellowKey (BitLocker bypass), GreenPlasma, and MiniPlasma — round out the set. All six released in roughly seven weeks.
The Dispute That Started This
Nightmare-Eclipse describes their campaign as retaliation, not profit. The researcher claims Microsoft violated an agreement and “left me homeless with nothing,” that MSRC deleted their bug-reporting account, and that a Microsoft staffer told them directly: “they will ruin my life and they did.” They report receiving zero payment despite reporting vulnerabilities.
Microsoft’s position: “The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.” The company denies receiving any prior disclosure for any of the six exploits. That contradiction — researcher says Microsoft broke the deal, Microsoft says no deal existed — sits at the heart of this.
This isn’t unprecedented. Researcher SandboxEscaper did something similar in 2018, releasing Windows zero-days out of frustration with Microsoft’s disclosure process. Microsoft eventually hired them. History has a pattern here.
Microsoft Used Its Own Platform to Ban a Critic
GitHub is owned by Microsoft. When Microsoft banned Nightmare-Eclipse’s account on May 23, it used its control over the world’s largest code-hosting platform to silence a researcher publicly accusing it of wrongdoing. GitLab followed three days later.
The security community noticed. Katie Moussouris, who pioneered Microsoft’s bug bounty program, called the company’s public response “mixed messages” and said the Digital Crimes Unit mention was “vaguely threatening,” creating a chilling effect on researcher participation. Dustin Childs of Zero Day Initiative noted that “CVD is a two-way street.” Kevin Beaumont called it a “dumpster fire of their own making.”
The conflict of interest is real. A company that controls the infrastructure researchers depend on also controls whether those researchers can publish. That is not a setup that supports coordinated disclosure.
The Structural Problem
The weaponized disclosures are indefensible. Real enterprises are being hit by threat actors who grabbed freely available exploit code. There is no version of this where releasing unpatched zero-days to the public is the right call.
But the bug bounty ecosystem created the conditions. Microsoft paid out $17M in bounties in FY2025. The per-vulnerability range for endpoint zero-days runs $30K to $100K. The program is not small. And yet disputes happen — researchers bear the legal and reputational risk of finding and reporting critical flaws, while companies hold the money and, as it turns out, the platforms.
The volume of these disputes is only going to increase. As AI tools lower the barrier to finding vulnerabilities, more researchers will flood bug bounty programs with reports. Some will get paid. Some won’t. Microsoft is already reforming its bounty structure — shifting from points-based to payment-based rankings in July 2026. Whether that reform arrived too late for Nightmare-Eclipse is a question the industry will be debating until July 14, when the next promised disclosure is scheduled.
BlueHammer is patched. RedSun and UnDefend are not. If you haven’t reviewed your Windows Defender posture this week, Bleeping Computer’s exploitation coverage is the place to start.
