The Nightmare Eclipse Timeline

Between April and June 2026, a security researcher going by Nightmare Eclipse dropped at least eight zero-day exploits targeting Microsoft Windows - hitting everything from Windows Defender to BitLocker. Three of them were picked up and exploited in the wild (CyberNews), attackers were chaining them with ransomware (Barry, Barracuda Networks), and CISA added them to its Known Exploited Vulnerabilities catalog. Hospitals, governments, banks - anything running Windows was at risk.

This is the timeline of how it happened.

Phase 1: The Breakdown (Pre-April 2026)

Before any of this went public, Nightmare Eclipse says they'd tried to work within the system. They submitted reports through the Microsoft Security Response Center (MSRC) - the official channel for reporting vulnerabilities to Microsoft. According to the researcher, documented across multiple independent news sources:

• Microsoft allegedly deleted their MSRC account, cutting off access to their own prior submissions (CiphersSecurity; Okemwa, Windows Central).
• Microsoft withheld bounty payments the researcher believed they had earned (Okemwa, Windows Central).
• Microsoft removed their attribution from at least one published advisory (Martin, The Record).
• A Microsoft representative allegedly told them the company would "ruin my life and they did" (Ferreira, Tom's Hardware).

Microsoft has pushed back on some of these. A spokesperson told The Record that the company "does not remove MSRC researcher portal accounts" (Martin, The Record). Microsoft has also stated that the exploits were "never reported via its official channels prior to being made public" (Lyons, The Register).

What is not disputed by either side: the researcher published working exploits, Microsoft patched them, Microsoft threatened legal action, and both GitHub and GitLab suspended the researcher's accounts.

William Dormann of Tharros offered some broader context: "MSRC used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers" (Ferreira, Tom's Hardware). The suggestion is that this breakdown may not be an isolated incident but a symptom of wider institutional degradation.

Phase 2: BlueHammer Drops (April 2, 2026)

The first exploit went public on April 2. BlueHammer (CVE-2026-33825, CVSS 7.8) exploited a time-of-check to time-of-use flaw in Windows Defender's signature update workflow, allowing any authenticated local user to escalate privileges to SYSTEM - the highest privilege level in Windows, above even Administrator (Toulas, BleepingComputer).

The exploit chained five legitimate Windows components - Defender's update mechanism, the Volume Shadow Copy Service, the Cloud Files API, opportunistic locks, and the offline registry - into a single escalation path. This is not a trivial finding. Dormann confirmed to BleepingComputer that the flaw is "not easy to exploit" (Toulas, BleepingComputer), which only underscores the depth of understanding required to pull it off.

It was published on GitHub with a warning: "I was not bluffing Microsoft and I'm doing it again" (Toulas, BleepingComputer).

BlueHammer sat publicly available on GitHub for 51 days before the account was suspended (CiphersSecurity).

Phase 3: Five More Exploits in Rapid Succession (April–May 2026)

Over the following weeks, five more exploits rolled out (Barry, Barracuda Networks):

• RedSun (CVE-2026-41091, CVSS 7.8) - SYSTEM-level access via a link-following vulnerability in Windows Defender.
• UnDefend (CVE-2026-45498, CVSS 4.0) - Silently disables Defender's ability to receive updates and detect threats while making the system appear healthy. Despite the low CVSS score, this was exploited in the wild and required an emergency out-of-band patch (Parham, TechTimes). That is worth pausing on - a finding rated 4.0, the kind of thing that often gets dismissed as not worth engaging with, turned out to be a critical component in a real-world attack chain.
• YellowKey (CVE-2026-45585, CVSS 6.8) - Bypasses BitLocker encryption, giving an attacker with physical access a SYSTEM-level shell on the protected volume - the exact outcome the encryption was meant to stop.
• GreenPlasma (CVE-2026-45586, CVSS 7.8) - SYSTEM-level access through the Windows Collaborative Translation Framework.
• MiniPlasma (CVE-2020-17103, CVSS 7.0) - Exploits a flaw in the Cloud Files Mini Filter Driver that was originally reported in 2020 and supposedly patched. Six years later, the original proof-of-concept still worked on fully patched Windows 11 (Bayram, Picus Security). A claimed fix that was never actually a fix - for six years.

Across all six, the average CVSS score was 6.9 (High severity), and five of six granted SYSTEM-level access.

Three - BlueHammer, RedSun, and UnDefend - were confirmed as being actively exploited in real-world attacks (CyberNews). Attackers assembled a multi-stage chain: escalate privileges, blind endpoint detection, bypass disk encryption, persist through alternative paths (Barry, Barracuda Networks). CISA added the vulnerabilities to its Known Exploited Vulnerabilities catalog.

RedSun was exploited in the wild for six weeks before Microsoft issued a formal CVE or patch (Parham, TechTimes).

Phase 4: Platforms Shut Down, Microsoft Calls the Cops (May 2026)

• May 23 - GitHub suspended Nightmare Eclipse's account (Montalbano, Dark Reading).
• May 26 - GitLab suspended the account (Montalbano, Dark Reading).
• May 28 - Microsoft's Digital Crimes Unit issued a public statement suggesting criminal prosecution, stating it would "continue bringing cases against these actors and those that enable their criminal activity" (Lyons, The Register).

The cybersecurity community pushed back hard.

Kevin Beaumont, a prominent researcher and former Microsoft employee, called the situation "a dumpster fire of [Microsoft's] own making" (Lyons, The Register). Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, noted: "CVD is a two-way street. The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold" (Lyons, The Register).

Katie Moussouris - the person who built Microsoft's own bug bounty program - pointed out that Microsoft's statement revived the term "responsible disclosure," language the company had formally retired in 2010. Her take: "No vendor uses that term unless they want to call someone irresponsible" (Martin, The Record).

Microsoft later clarified it had "no intention to pursue action against individuals conducting or publishing their security research," dropped the term "responsible disclosure" from its messaging, and acknowledged that "some interactions have fallen short" (Martin, The Record).

Nightmare Eclipse responded: "When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people. You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot" (Lyons, The Register).

Not everyone is sympathetic. Barry, writing for Barracuda Networks, explicitly labelled the researcher "a malicious actor - not a whistleblower, not a responsible disclosure advocate and not a neutral researcher" (Barry, Barracuda Networks). Others have pointed to the researcher's increasingly hostile language - in one post, Nightmare Eclipse wrote: "Mark this date July 14th, I will make sure your bones are shattered that day" (Lyons, The Register). Childs called the language "troubling," and Moussouris noted the "incendiary language" (Lyons, The Register).

While none of that should be ignored or sanitised, the "malicious actor" framing misses the timeline. That label only makes sense if everything that came before the public release gets ignored - the allegedly deleted MSRC account, the withheld bounty, the removed attribution, the legal threats. Strip that context away and sure, it looks like unprovoked destruction. Put it back in and it starts to look like the predictable consequence of closing every cooperative channel while still expecting cooperation. Focusing on the researcher's tone instead of the substance of what they found is its own kind of dismissal - eight working zero-day exploits in core Windows components warranted emergency patches, but the industry conversation centred on the language of a blog post.

There is also a financial side to this that is hard to overlook. According to Microsoft's own published bounty rates, endpoint zero-day vulnerabilities pay between $30,000 and $100,000 each, with Hyper-V exploits going up to $250,000 (Okemwa, Windows Central). Eight qualifying zero-days would put the total somewhere between $240,000 and $800,000. As far as the public record shows, the researcher has not been paid for any of them. They acknowledged the sacrifice themselves: "I could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft" (Okemwa, Windows Central). That alone makes the "malicious actor" framing hard to sustain - a malicious actor sells quietly on the black market, makes significantly more money, and nobody ever knows. Nightmare Eclipse did the exact opposite: maximised visibility, not damage. And it is obviously working in some sense, since three of the first six were patched within days of public release.

The real question nobody seems to be asking is why the conversation only ever puts the obligations on the researcher. As Moussouris herself puts it, "the power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it's users who lose when coordination negotiations fail" (Lyons, The Register).

Phase 5: It Doesn't Stop (June 2026)

Microsoft's June 2026 Patch Tuesday addressed GreenPlasma and YellowKey. Within hours, Nightmare Eclipse released RoguePlanet from a self-hosted repository - having been banned from both GitHub and GitLab. RoguePlanet exploits a race condition in Microsoft Defender to escalate to SYSTEM on fully patched Windows 10 and 11 (Abrams, BleepingComputer). ThreatLocker independently confirmed it works (Abrams, BleepingComputer).

The next day: GreatXML, a BitLocker bypass the researcher said they discovered in four hours, bringing the total exploit count to eight (Lyons, The Register).

The researcher has promised further disclosures and has stated they possess "a batch of memory corruption vulnerabilities in Defender" alongside vulnerabilities in other components (Montalbano, Dark Reading). They also reported that other researchers had approached them and in some cases provided vulnerabilities directly (Martin, The Record) - meaning the adversarial disclosure pathway is no longer a single individual but a channel.

It is not just Nightmare Eclipse either. Another researcher, Ammar Askar, dropped a proof-of-concept for a Visual Studio Code vulnerability within an hour of disclosing it. His reason? Microsoft had previously "silently fixed the bug I pointed out without any credit" and "marked it as not having any security impact" (Jones, The Register).

The Bigger Picture

I wrote a full paper on the ethics behind this breakdown - Reciprocal Disclosure and the Ethics of Vulnerability Reporting. It examines why the current "responsible disclosure" model loads all the moral weight onto the researcher while the organization's obligations remain implied and unenforceable, and proposes a framework called reciprocal disclosure that holds both sides to the same standard. If you want to dig into the philosophy, the fifteen principles, and the four new terms the paper introduces - retaliation by infrastructure, tone displacement, silent patching, and chaining awareness - it is available as a free PDF here.