Nightmare-Eclipse vs Microsoft: GitHub Ban, Unpaid Bounties, and a July 14 Warning

Security researcher Nightmare-Eclipse (also known as Chaotic Eclipse) is publicly accusing Microsoft of vindictive retaliation after the company flagged and wiped their GitHub account following the publication of multiple Windows zero-day exploits, including YellowKey, which bypasses BitLocker on Windows 11 using a USB drive. The dispute has grown into one of the most public falling-outs between a security researcher and a major software vendor in recent memory, with Eclipse warning that a major disclosure is planned for July 14.

Nightmare-Eclipse vs Microsoft: GitHub Ban, Unpaid Bounties, and a July 14 Warning

What Triggered the GitHub Ban

Eclipse published the YellowKey zero-day exploit earlier this month. The exploit lets an attacker access BitLocker-protected drives on Windows 11 using nothing more than a USB drive, with no password or recovery key required. Eclipse claimed the backdoor into Windows 11’s BitLocker protection was intentional by design and noted that Windows 10 is not affected.

Microsoft publicly acknowledged the vulnerability last week, tracking it as CVE-2026-45585 and publishing mitigation guidance. In its advisory, Microsoft stated that the proof-of-concept had already been made public, which Microsoft said violated coordinated vulnerability disclosure best practices.

Shortly after that acknowledgment, Microsoft flagged Eclipse’s GitHub account and removed it from public view. Microsoft also deleted the Microsoft account Eclipse had used to report vulnerabilities, according to Eclipse’s own statement. Eclipse confirmed the move in a blog post and announced a migration to GitLab.

Eclipse’s Six Zero-Day Exploits

Eclipse has published six Windows zero-day exploits in total. Their catalog includes:

  • BlueHammer: Grants SYSTEM-level access via Microsoft Defender
  • RedSun (CVE-2026-41091): Also achieves SYSTEM access via Defender
  • UnDefend (CVE-2026-45498): Disables Microsoft Defender completely
  • GreenPlasma: Gains SYSTEM access via the CTFMon service
  • MiniPlasma: Grants SYSTEM access via a flaw in the Windows Cloud Filter driver
  • YellowKey (CVE-2026-45585): Bypasses BitLocker on Windows 11 using a USB drive

Microsoft has confirmed that BlueHammer, RedSun, and UnDefend are all under active exploitation in the wild. The CVE-2026-41091 and CVE-2026-45498 vulnerabilities in Defender represent immediate risks for Windows users that require attention now. Because Eclipse published full or partial proof-of-concept code for each exploit, threat actors picked them up quickly.

The MSRC Bounty Dispute

The core of Eclipse’s grievance appears to involve unpaid bug bounties from Microsoft’s Security Response Center (MSRC) program.

Microsoft’s MSRC bounty program pays between $30,000 and $100,000 per endpoint zero-day, depending on the quality and conditions of the submission. Reports that bypass Hyper-V can earn up to $250,000. Microsoft evaluates submissions based on severity, ease of reproduction, and report quality, including documentation and proof-of-concept code.

Eclipse claims Microsoft ignored their vulnerability reports and paid nothing despite multiple disclosures. In their blog post, Eclipse wrote: “I got zero pennies from doing so and I still happily did like an idiot.”

Security expert William Dormann from Tharros added context, noting that MSRC used to be excellent to work with but that Microsoft reportedly replaced skilled staff with what Dormann described as flowchart followers. Dormann speculated that Microsoft may have closed Eclipse’s case after Eclipse declined to submit a video demonstration of the exploit, which has apparently become a newer MSRC submission requirement.

Eclipse also described multiple failed communication attempts, stating that Microsoft “refused, humiliated me and made sure to insult me in front of people.” When publishing YellowKey, Eclipse stated: “I could have made some insane cash selling this, but no amount of money will stand between me and my determination against Microsoft.”

Microsoft’s Response

Microsoft has not issued any public statement on the GitHub ban or Eclipse’s allegations. The company has not addressed the bounty dispute, the account deletion, or the removal of Eclipse’s GitHub repository.

Security observers have widely criticized the GitHub ban. Since Eclipse’s proof-of-concept code is already publicly available, removing the GitHub account provides no meaningful security benefit. According to Tom’s Hardware, the move instead generates negative press while achieving nothing for security, since the code is out there anyway.

What Happens on July 14

In their blog post, Eclipse issued a direct warning about July 14. The post references a dead-man switch of some sort and indicates that Eclipse plans to release damaging disclosures or documentation on that date. Eclipse also cited holding back evidence supporting their claims because “Microsoft still has chains in my hands.”

The post states: “Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).”

Given Eclipse’s demonstrated ability to find serious vulnerabilities in core Windows components, any July 14 release carries real security implications. Microsoft has remained silent, leaving the situation unresolved with a hard deadline approaching.

The Eclipse situation highlights a growing tension in vulnerability disclosure. Researchers who find critical flaws in widely used software take on significant personal risk, invest substantial time, and sometimes receive nothing in return. When trust between a researcher and a vendor breaks down, as it clearly has here, uncoordinated public disclosure becomes the outcome.

For Windows users, the immediate priority is patching. The YellowKey BitLocker vulnerability still has no patch from Microsoft, and the Defender vulnerabilities under CVE-2026-41091 and CVE-2026-45498 are actively exploited. Applying published mitigations and monitoring for Microsoft security updates should take priority.

Related Security and Tech Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply