Close Menu
    AI

    GitHub Banned a Researcher — Now 3 Windows Exploits Are in the Wild

    By Updated:5 Mins Read6
    GitHub bans security researcher who published zero-day Windows exploits

    GitHub bans security researcher Nightmare-Eclipse after they published six weaponized Windows exploits over six weeks — and the ban immediately backfired. The exploits were cloned across other platforms within hours, and three are now being used in active enterprise intrusions. Microsoft’s attempt to silence the disclosure has made the situation significantly worse.

    Six Exploits in Six Weeks — and Microsoft Paid Nothing

    Nightmare-Eclipse began publishing exploits in April 2026, after claiming Microsoft’s Security Response Center refused communication, deleted their bug-reporting account, and paid zero bug bounties for vulnerabilities they had responsibly disclosed. The exploits are specific and dangerous: BlueHammer and RedSun both escalate privileges to SYSTEM via Windows Defender; UnDefend takes Defender offline entirely; YellowKey bypasses BitLocker encryption with a USB stick; GreenPlasma and MiniPlasma exploit flaws in the CTFMon service and Windows Cloud Filter driver respectively.

    Microsoft patched some of these flaws — but not all of them. The company indirectly accused the researcher of violating coordinated vulnerability disclosure norms, the industry standard under which researchers give vendors 90 days to patch before going public. Eclipse’s response: they gave Microsoft months and got nothing in return.

    Tom’s Hardware, which broke the story, reports that the researcher claims Microsoft “ruined their life” and left them “homeless with nothing.” Security experts quoted in the piece called the GitHub ban “vindictive” and predicted it would backfire.

    The Ban That Backfired Immediately

    GitHub banned Nightmare-Eclipse on May 23, 2026. GitLab followed on May 26. Within hours, other users had cloned the exploit repositories across multiple platforms — making the code more widely available, not less. Three of the six exploits are now being actively weaponized in enterprise intrusions.

    This is the central problem with banning vulnerability researchers rather than patching the vulnerabilities: it doesn’t make the exploits disappear. It makes them harder to trace, removes any goodwill the researcher might have had, and signals to the broader security community that disclosure — even patient, responsible disclosure — doesn’t get rewarded. It gets punished.

    The researcher has since threatened a major public disclosure event on July 14, 2026 — the next Patch Tuesday after June — warning the date will be significant whether or not Microsoft patches the remaining flaws first.

    Who’s Actually at Risk Right Now

    Windows users running unpatched systems are exposed to at least three active exploits that are being used in real enterprise attacks. The BlueHammer and RedSun privilege escalation exploits are particularly dangerous in corporate environments, where an attacker with standard user access can silently escalate to SYSTEM. UnDefend compounds the risk: an attacker can knock out Windows Defender before running any further payload.

    The YellowKey BitLocker bypass is a separate threat vector — it requires physical access but completely undermines the disk encryption that enterprises rely on for stolen-device scenarios. Microsoft has not confirmed a patch timeline for all six vulnerabilities.

    The Responsible Disclosure Debate This Reopens

    Coordinated vulnerability disclosure is supposed to work like this: researcher finds flaw, notifies vendor privately, vendor patches, researcher publishes. The system only functions if vendors actually patch and pay researchers fairly. When they don’t — and several high-profile cases suggest the MSRC has underpaid or ignored researchers — some researchers go public anyway.

    The question is whether that makes them a threat actor or a public safety actor. The security community is divided, but the immediate reaction to the GitHub ban leaned heavily toward the latter. When Microsoft controls GitHub and uses that control to silence critics of its own security practices, the optics are, at minimum, complicated.

    💡 Our Take: GitHub banning a researcher for publishing exploits on GitHub is a story about corporate power, not responsible disclosure. Microsoft owns the platform and used that ownership to silence someone who embarrassed its security team — and it made the exploits more widely available in the process. The real fix here is patching vulnerabilities and paying fair bug bounties, not banning the people who find them.

    Frequently Asked Questions

    What did Nightmare-Eclipse actually release?

    Six weaponized Windows exploits over six weeks in 2026: BlueHammer and RedSun (SYSTEM privilege escalation via Windows Defender), UnDefend (Defender disablement), YellowKey (BitLocker bypass via USB), GreenPlasma (SYSTEM via CTFMon), and MiniPlasma (SYSTEM via Windows Cloud Filter driver). Three are now being actively exploited in enterprise environments.

    Why did GitHub ban the security researcher?

    GitHub, which is owned by Microsoft, banned the account after the researcher published weaponized exploit code for unpatched Windows vulnerabilities. The researcher claims this was retaliation for Microsoft failing to patch the disclosed flaws and refusing to pay bug bounties. Security experts have described the ban as “vindictive.”

    Are these Windows exploits still dangerous after the ban?

    Yes. The ban did not remove the exploits — they were cloned to other platforms within hours. Three of the six are confirmed to be used in active enterprise intrusions as of late May 2026. Windows users should ensure all available patches are applied and monitor for Defender integrity.

    What is coordinated vulnerability disclosure?

    Coordinated vulnerability disclosure (CVD) is the industry-standard process in which security researchers privately notify vendors of flaws, give them a fixed window (typically 90 days) to release a patch, and then publish their findings. The process breaks down when vendors fail to respond, underpay researchers, or ignore reports entirely — which is what Nightmare-Eclipse alleges happened here.

    What happens on July 14, 2026?

    Nightmare-Eclipse has threatened a major additional disclosure event on July 14, 2026 — the next Patch Tuesday after June. The researcher has stated the date will be significant regardless of whether Microsoft patches the remaining vulnerabilities beforehand. The security community is watching closely.

    The situation is still unfolding. Follow WithO2.com’s security coverage for updates as Microsoft’s patch response and Eclipse’s July 14 threat develop. See also: how AI agents are reshaping security workflows and enterprise software risks in 2026.

    Last Updated: June 2026

    Share.

    I am a software engineer, I have a passion for working with cutting-edge technologies and staying up-to-date with the latest developments in the field. In my articles, I share my knowledge and insights on a range of topics, including business software, how to set up tools, and the latest trends in the tech industry.

    Related Posts

    Comments are closed.