Key Takeaways

- Six Windows zero-days released by Nightmare Eclipse since April, with three confirmed in active exploitation
- Microsoft has involved law enforcement and threatened legal action against the researcher
- July 14 Patch Tuesday could bring additional exploit releases, prompting organizations to prepare emergency responses
The standoff between Microsoft and an anonymous security researcher has turned into one of the most dramatic conflicts the infosec community has seen in years. The researcher, known as Nightmare Eclipse or Chaotic Eclipse, has released six Windows zero-day vulnerabilities since April 2026. Three are already being exploited in the wild. And the researcher says more are coming on July 14.
Microsoft responded Wednesday with a blog post on what it called "uncoordinated vulnerability disclosure." The company confirmed the bugs are real: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. None were reported through official channels before going public, Microsoft said.
The company also made its stance clear. It has contacted law enforcement and hinted at legal action against the researcher.
Six Vulnerabilities, Three Under Active Attack
Attackers moved quickly after Nightmare Eclipse published working proof-of-concept exploit code. BlueHammer, RedSun, and UnDefend are now being used in active attacks, according to Microsoft and CISA. The code was posted to GitHub and GitLab accounts that have since been banned. GitHub, notably, is owned by Microsoft.
Three vulnerabilities remain unpatched: YellowKey, GreenPlasma, and MiniPlasma. Microsoft has flagged YellowKey (CVE-2026-45585) as "exploitation more likely" because a working proof-of-concept exists. The YellowKey exploit targets BitLocker and can bypass encryption in about 60 seconds on modern Windows systems.
The Breakdown in Relations
How did this happen? The researcher claims Microsoft terminated their MSRC (Microsoft Security Response Center) account, cutting off their ability to report vulnerabilities through proper channels. In their latest post, Nightmare Eclipse painted a picture of being ignored and insulted.
“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me.”
— Nightmare Eclipse, security researcher
Microsoft declined to answer The Register's questions about whether the researcher is a current or former employee, whether it plans to sue, or whether it terminated the researcher's MSRC account.
The company's blog post did not mince words about its view of the situation: "Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences."
Security Community Divided
Reactions in the security community are split. Some defend the researcher's right to demonstrate flaws when they feel bug bounty programs have failed them. Others call the approach reckless and harmful.
Former MSRC Program Manager David Chen criticized Microsoft's legal posture: "Legal threats against researchers who are providing proof-of-concept exploits for valid, albeit ignored, bugs is counterproductive to the entire ecosystem's safety."
Industry discussion on the Microsoft-researcher conflict
On Hacker News, discussions are polarized. Many sysadmins expressed concern about July 14, the date Nightmare Eclipse chose for the next release. It falls on Patch Tuesday, Microsoft's monthly security update cycle. Some organizations are already planning "all-hands-on-deck" responses.
What Organizations Should Do Now
With three exploits already in active use and three more without patches, security teams face an unpleasant few weeks. The YellowKey BitLocker bypass is particularly concerning for organizations relying on disk encryption for endpoint security.
- Monitor CISA advisories for updates on the six named vulnerabilities
- Prepare incident response plans for July 14 Patch Tuesday
- Review BitLocker configurations and consider additional endpoint protections
- Track Microsoft's security blog for patch releases on YellowKey, GreenPlasma, and MiniPlasma
The July 14 date is deliberate. By releasing on Patch Tuesday, Nightmare Eclipse maximizes the window between disclosure and fix. Even if Microsoft scrambles to include patches in that month's update, organizations will need to test and deploy them while attackers race to weaponize any new exploits.
A Larger Pattern
This conflict arrives during what some researchers have called a "vulnpocalypse." AI-powered bug hunting tools are uncovering vulnerabilities faster than vendors can patch them. Microsoft's Patch Tuesday releases have grown substantially in recent months as the company tries to keep pace.
The company recently promised more bug payouts through its bounty program, but that may not matter to researchers who feel locked out of official channels. If Nightmare Eclipse's claims about their MSRC account are accurate, the company's gatekeeping may have backfired.
Logicity's Take
Frequently Asked Questions
What are the six Microsoft zero-days released by Nightmare Eclipse?
RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Three (BlueHammer, RedSun, UnDefend) have patches. Three (YellowKey, GreenPlasma, MiniPlasma) remain unpatched.
Are these Windows vulnerabilities being actively exploited?
Yes. CISA confirms three of the six exploits are being used in active ransomware campaigns. BlueHammer, RedSun, and UnDefend are under active exploitation.
What happens on July 14, 2026?
Nightmare Eclipse has threatened a "bone shattering" exploit release on that date, which coincides with Microsoft's July Patch Tuesday.
Can Microsoft stop the researcher legally?
Microsoft has involved law enforcement and hinted at legal action, but has not confirmed specific plans. The researcher's identity and location are unknown.
How can organizations protect against these zero-days?
Apply available patches immediately for BlueHammer, RedSun, and UnDefend. For unpatched vulnerabilities, monitor CISA advisories and prepare incident response plans for July 14.
Related security threat affecting enterprise systems
Need Help Implementing This?
Source: Hacker News: Best
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
Related Articles
More in Trending Tech
AI Revolution: How Tech is Transforming the World, One Industry at a Time
From desalination plants in Iran to AI-powered manufacturing, the tech world is abuzz with innovation. Discover how AI is changing the game for small entrepreneurs and what it means for the future of industry. Explore the latest developments in cybersecurity, robotics, and more.

Revolutionizing AI: The Game-Changing Tech That's Making Agents Smarter
A new technology is set to revolutionize the way AI agents learn and adapt, enabling them to accumulate wisdom and apply it to new situations. This innovation has the potential to significantly boost the reliability of AI agents, especially in complex tasks. By converting raw agent trajectories into reusable guidelines, this tech is poised to transform the AI landscape.

The Dark Side of AI: How Bots Are Fueling a Monetized Abuse Ecosystem
A recent analysis of 2.8 million Telegram messages reveals a shocking truth: AI-powered bots are being used to create and sell non-consensual intimate images. These bots can turn ordinary photos into synthetic nude images, and the abuse is being monetized through affiliate programs and subscription-based archives. The researchers behind the study are calling for stricter regulations to combat this growing problem.

AI's Secret Sauce: How Journalism Became the Unlikely Ingredient
A recent study reveals that AI chatbots rely heavily on journalistic sources for their quotes, with one in four coming from news outlets. This shocking discovery has significant implications for the media industry and our understanding of AI's information gathering processes. As AI technology continues to evolve, it's essential to consider the role of journalism in shaping its responses.



