Nightmare Eclipse banned from GitHub and GitLab, vows July 14 attack

The security researcher behind six Windows zero-day disclosures in six weeks has been removed from both GitHub and GitLab within days of each other and is now operating exclusively from a personal blog. The researcher, who goes by Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse, has responded with an explicit threat targeting July 14, the date of next month's Patch Tuesday.

Microsoft was accused of flagging and wiping the GitHub repositories around May 23, 2026. The researcher moved to GitLab, but GitLab suspended the account on May 26-27 for hosting weaponized zero-day exploit code. With both major code-hosting platforms now closed, the researcher is publishing directly to their own blog and has signaled the disruption has not changed their plans.

Six zero-days in six weeks

Since early April 2026, Nightmare Eclipse has publicly released weaponized proof-of-concept for six Windows vulnerabilities: BlueHammer, RedSun, UnDefend, YellowKey, Green Plasma, and MiniPlasma. None were disclosed through coordinated channels before publication. All six targeted components are located at or below the endpoint security layer.

Microsoft has now patched three of the six. BlueHammer was assigned CVE-2026-33825 and fixed in the April 14 Patch Tuesday. RedSun and UnDefend were addressed out-of-band on May 21 as CVE-2026-41091 and CVE-2026-45498 after Huntress confirmed active exploitation of all three in real-world attacks. CISA added all three to its Known Exploited Vulnerabilities catalog, with federal agencies required to patch CVE-2026-41091 and CVE-2026-45498 by June 3.

YellowKey, GreenPlasma, and MiniPlasma remain unpatched as of the publication date. MiniPlasma targets the Windows Cloud Filter driver and can escalate a standard user account to SYSTEM on fully patched Windows 11 systems running the latest May 2026 updates. BleepingComputer and multiple independent researchers confirmed the exploit works without modification.

What July 14 could mean?

In a signed post, the researcher addressed Microsoft directly: "Mark this date, July 14th. I will make sure your bones are shattered that day." They indicated no new disclosures are planned for June, though they reserved the right to change course. Previous posts warned of an intent to escalate to remote code execution vulnerabilities if Microsoft continued to dismiss their reports.

Being de-platformed from both GitHub and GitLab removes the easiest distribution channels for compiled binaries and source code, but a personal blog with direct downloads achieves the same result for any researcher willing to maintain it. Security analysts at Barracuda Networks have noted that the exploit chain Nightmare Eclipse, which combines privilege escalation via BlueHammer, RedSun, or MiniPlasma with Defender suppression via UnDefend, has already been seen in confirmed network intrusions. It remains to be seen whether new material will surface on July 14 as a proof-of-concept, a remote code execution release, or something else. This researcher issued every prior warning before making an actual disclosure.