A security researcher operating under the aliases Nightmare Eclipse, Chaotic Eclipse, and Dead Eclipse has published working exploit code for six Windows zero-day vulnerabilities since early April 2026 without notifying Microsoft in advance, three of which — BlueHammer (CVE-2026-33825), RedSun (CVE-2026-41091), and UnDefend (CVE-2026-45498) — have been actively exploited in the wild. GitHub removed the researcher’s account around May 23, and GitLab followed on May 26–27. In a May 28 blog post, Microsoft said the disclosures “put our customers at unnecessary risk” and called on the community to uphold coordinated vulnerability disclosure (CVD) standards, adding that its security teams had been “working around the clock” to develop patches.
Three exploits remain unpatched as of publication: YellowKey (CVE-2026-45585, a BitLocker bypass), GreenPlasma, and MiniPlasma. The researcher, believed to be acting out of personal grievance against Microsoft’s Security Response Center, responded in a blog post promising a “bone shattering” drop on July 14 — the date of Microsoft’s next Patch Tuesday — and accusing the company of deleting the account through which they had previously reported bugs. Security researcher Kevin Beaumont, a former Microsoft engineer, described the situation as “a dumpster fire of their own making,” noting that Microsoft once hired a researcher who had similarly released zero-day code without coordination, conduct Redmond now characterizes in adversarial terms.