"Mark this date July 14th, I will make sure your bones are shattered that day," wrote the researcher identifying themselves as Nightmare Eclipse — a threat that follows six publicly released Windows zero-days and has compelled Microsoft to speak publicly about uncoordinated disclosures.
Nightmare Eclipse: six zero-days, a public grudge, and a July 14 promise
The researcher known as Nightmare Eclipse (also described as Chaotic Eclipse) has published six Windows zero-days: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Nightmare has posted working proof-of-concept (PoC) exploit code for at least three of those and, after a dispute with Microsoft, warned of a further “bone shattering” release planned for July 14. In a message captured by The Register, the researcher said Microsoft had “refuse[d], humiliated me and made sure to insult me” and asserted that Microsoft deleted the account used to report bugs and withheld payments and credit.
Microsoft's public response and the threat of legal action
Microsoft published a blog post castigating what it called uncoordinated disclosures of weaponized Windows vulnerabilities and naming the six bugs released by Nightmare. The company stated that none of the six were reported via its official channels prior to being made public, and warned that “Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences.”
Microsoft further noted that its Digital Crimes Unit “will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.” The Register reported that Microsoft declined to answer questions about whether it planned to sue Nightmare, whether the researcher is a current or former employee, and whether Microsoft had deleted the researcher’s MSRC account.
Active exploitation: BlueHammer, RedSun, UnDefend — and YellowKey's elevated risk
The Register reports that attackers began exploiting three of the released bugs — BlueHammer, RedSun, and UnDefend — shortly after proof-of-concept code for each was posted on now-banned GitHub and GitLab accounts. Microsoft says YellowKey, identified as CVE-2026-45585, has a working PoC and has therefore been assessed as having “exploitation more likely.” At the time of Microsoft’s post, YellowKey, GreenPlasma, and MiniPlasma remained without fixes.
Systems engineer Muhammad Qasim Shahzad posted on LinkedIn that “One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” and warned that “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”
Voices from the field: Dustin Childs, Katie Moussouris, and Kevin Beaumont
Dustin Childs of Zero Day Initiative, who previously worked for Microsoft security, criticized how Microsoft publicly framed the disclosure, saying “CVD is a two-way street” and calling Microsoft’s public statement “bold” for declaring a violation of coordinated vulnerability disclosure without showing correspondence. Childs also said Microsoft could do better explaining “what the real risks from these bugs are and how they can defend themselves,” adding that clarity for customers was “missing.”
Katie Moussouris, founder and CEO of Luta Security and a pioneer of Microsoft’s bug bounty program, told The Register Microsoft’s response “sends mixed messages.” She said the company’s language invoked the term “responsible disclosure,” which she considers outdated, and described the Digital Crimes Unit reference as “vaguely threatening.” Moussouris characterized the exchange between Nightmare and Microsoft as a possible example of a researcher who “believes every legitimate channel was closed to them” and warned that users lose when coordination fails.
Security researcher Kevin Beaumont called the situation a “dumpster fire of [Microsoft’s] own making,” and pointed to inconsistency in Microsoft’s past decisions — noting the company previously hired a hacker called SandboxEscaper after public exploit releases — as a complication for any attempt to criminalize disclosure outside a vendor’s preferred framework.
What this means for technologists, enterprises, and researchers
- Technologists and security teams: expect a compressed timeline between PoC publication and active exploitation. Microsoft’s assessment that CVE-2026-45585 (YellowKey) is more likely to be exploited underscores the need to monitor vendor advisories and hunt for exploit indicators tied to BlueHammer, RedSun, and UnDefend.
- Enterprises and IT operations: Muhammad Qasim Shahzad’s LinkedIn post signals that patching windows are tightening; teams must prioritize detection and mitigation for the named bugs while tracking Microsoft’s fix cadence for YellowKey, GreenPlasma, and MiniPlasma.
- Researchers and disclosure intermediaries: the clash illustrates the potential chill from public disputes and legal threats; Katie Moussouris warned that mixed messages and the invocation of criminal enforcement could deter researchers from coordinated disclosure pathways.
Microsoft and Nightmare have staked competing narratives: a vendor decrying uncoordinated, weaponized disclosure and invoking legal remedies, and a researcher claiming humiliation, account deletion, withheld payments, and an intention to retaliate on July 14. Microsoft did not answer The Register’s questions about whether legal action is planned or whether the researcher’s reporting account was deleted. Those unanswered items — and the July 14 date itself — are the next fixed points in a dispute that has already accelerated exploitation and narrowed the window for enterprise defenses.




