Microsoft Had the Researcher Banned Rather Than Fix the Bugs They Found

Key Takeaways

• Security researcher Nightmare-Eclipse was banned from GitHub on May 23, 2026, and suspended from GitLab three days later after publicly releasing six Windows Defender exploit tools Microsoft refused to patch.
• The campaign started on April 2, 2026, producing three core proof-of-concept tools targeting Windows Defender privilege escalation and defense disabling: BlueHammer, RedSun, and UnDefend. Only BlueHammer received a patch.
• Huntress confirmed real-world criminal use of all three tools beginning April 10, 2026, meaning the two unpatched vulnerabilities are actively being exploited while Microsoft has issued no fix.
• Microsoft accused the researcher of violating coordinated vulnerability disclosure best practices after having already deleted the MSRC account the researcher used to file reports, leaving no legitimate channel open.
• The researcher has announced July 14, 2026 as the date of a major follow-up disclosure and claims to be holding back a more damaging exploit variant in reserve.

When Microsoft Deletes the Door You Were Told to Knock On

Security researchers who find critical vulnerabilities are supposed to report them through official channels and only go public if the vendor goes silent. Nightmare-Eclipse did exactly that, and Microsoft deleted the account they used to file those reports.

The campaign started on April 2, 2026, when Nightmare-Eclipse released BlueHammer, a proof-of-concept exploit targeting a race condition in Windows Defender's threat remediation engine. The vulnerability, rated CVSS 7.8, lets a low-privilege attacker escalate to full SYSTEM access on any patched Windows machine. Microsoft shipped a patch in the April 2026 Patch Tuesday update.

The NVD entry for CVE-2026-33825 classifies it as insufficient granularity of access control in Microsoft Defender, with exploit code maturity confirmed at proof-of-concept. The MSRC advisory lists the impact as elevation of privilege with a max severity of "important." That part of the story looks almost normal.

In a signed statement responding to that patch, the researcher described being told personally by Microsoft that the company would "ruin my life" and stated that Microsoft had revoked the MSRC account they used to submit vulnerability reports, wiping it entirely despite multiple requests for an explanation.

A case had been filed on BlueHammer and dismissed. MSRC was fully aware a public disclosure was coming and chose not to engage. I think it's worth sitting with that. The company, now calling the researcher's conduct a violation of coordinated disclosure best practices, had already shut the door on every legitimate channel those best practices require.

Two more tools followed. RedSun and UnDefend, released publicly in the weeks after, target Defender's cloud file rollback mechanism and signature update pipeline, respectively. Both remain unpatched as of publication.

Unpatched and Already in Criminal Hands

Huntress documented active exploitation of all three tools in a real-world intrusion beginning April 10, 2026, eight days after the first public release. Threat actors had obtained the tools, disguised them as innocuous filenames like FunnyApp.exe, and deployed them via compromised VPN credentials against a live target.

None of the exploit attempts in that incident succeeded, but the point stands regardless. The tools were in criminal hands within a week of publication, with two of the three vulnerabilities they target still unpatched. So, the reality is that the unpatched flaws are being run against real networks, and Microsoft has no patch to offer the people defending those networks.

It's also worth noting that Huntress later observed Microsoft silently patching RedSun with no CVE and no advisory. For a company invoking responsible disclosure as its justification for everything that follows, that's a revealing choice.

Banned From GitHub, Then GitLab, With July 14 Still Coming

On May 23, 2026, the researcher posted a signed message to their blog announcing that Microsoft had flagged and wiped their GitHub account. The new GitLab profile, created the same day and described simply as "Microsoft's nightmare," lasted three days. GitLab suspended the account on May 26, with the profile now showing as blocked and all repositories wiped.

Two platforms, less than a week, zero additional patches. What the bans accomplished is remove the public audit trail, making it harder for security teams to study the techniques and build defenses. Yet the tools still exist, and so do the vulnerabilities.

Microsoft has a documented habit of responding to unwanted attention by removing it from platforms it can influence rather than addressing the underlying problem, and this fits that pattern without much effort.

Nightmare-Eclipse's response was to mark July 14, 2026, on the calendar. A major disclosure is coming regardless of what patches Microsoft ships before then. They also state they have not published the full PIN+TPM variant of YellowKey, meaning a more severe version is being held in reserve.

The way the researcher chose to fight this battle sits in a pretty gray zone. But no matter how you view this situation, one thing is clear: it’s entering the endgame, and if Nightmare-Eclipse is not bluffing and Microsoft continues holding on to its “censorship over actually fixing the issues” strategy, July 14 will likely come with a lot of heavy cybersecurity world news. All we can do now is observe.