Microsoft faces security community backlash over Nightmare Eclipse

Microsoft's public threat to pursue criminal charges against the researcher behind six Windows zero-day disclosures has turned a vulnerability dispute into a full-scale backlash from the security community.

The researcher, known as Nightmare Eclipse, published weaponized proof-of-concept code for six Windows vulnerabilities between early April and mid-May 2026 without coordinating with Microsoft. Three flaws, BlueHammer, RedSun, and UnDefend, have been exploited in live attacks. YellowKey, GreenPlasma, and MiniPlasma remain unpatched.

Microsoft fires back

Microsoft published a formal blog post on May 28 describing the disclosures as "never justifiable" and warning its Digital Crimes Unit would pursue cases against anyone enabling criminal activity through exploit code. The company accused the researcher of bypassing coordinated vulnerability disclosure standards.

Nightmare Eclipse disputes this. The researcher claims Microsoft deleted the Security Response Center account used to file the original bug reports and refused further contact. "You literally deleted the Microsoft account I used to report bugs to you with, and I got zero pennies from doing so," the researcher wrote.

The community pushback

The security industry is not siding with Microsoft. Katie Moussouris, who pioneered bug bounty programs at Microsoft and coined the coordinated disclosure framework the company now invokes, publicly criticized the blog post on Bluesky. Invoking "responsible disclosure" was the first problem, she wrote. Adding a Digital Crimes Unit prosecution threat made it worse and would push researchers away from trusting Microsoft.

Kevin Beaumont, a former Microsoft security engineer, called the situation "a dumpster fire of their own making," noting that Microsoft previously hired SandboxEscaper after she published zero-day exploit code without warning, behaviour Redmond now describes as criminal.

What is still unpatched and what comes next

Nightmare Eclipse was banned from GitHub around May 23 and GitLab on May 26-27, and now publishes from a personal blog. A July 14 exploit release targeting July's Patch Tuesday remains a threat, with warnings of escalation to remote code execution vulnerabilities.

Administrators should treat YellowKey, GreenPlasma, and MiniPlasma as active risks. For YellowKey, Microsoft's mitigation requires manually editing the offline WinRE registry hive and stripping autofstx.exe from the BootExecute value.

A TPM+PIN pre-boot configuration cuts off the physical extraction route entirely. Defender Engine version 1.1.26040.8 or later handles RedSun and UnDefend, and that update should not wait for a scheduled maintenance window.