Microsoft threatens legal action against researcher over zero-day exploits
In brief
- Microsoft disabled Nightmare Eclipse's accounts on GitHub, GitLab, and MSRC portal
- Nightmare Eclipse released six zero-day exploits since April 2026, including BlueHammer and RedSun
- Researcher claims prior vulnerability reports through Microsoft's official channels were ignored
- Security experts warn Microsoft's legal threats could deter future vulnerability disclosures
The disclosure and Microsoft's response
Microsoft threatened legal action against a security researcher known as Nightmare Eclipse for publishing zero-day exploit code. Nightmare Eclipse released at least six zero-day exploits since April 2026, including vulnerabilities tracked as CVE-2026-33825 (BlueHammer) and CVE-2026-41091 (RedSun).
Microsoft's Digital Crimes Unit disabled the researcher's accounts on GitHub, GitLab, and the Microsoft Security Response Center portal. The company responded in late May 2026 with a statement that uncoordinated disclosures placing exploit code into malicious hands are "never justifiable."
The researcher's claims
Nightmare Eclipse has claimed that prior attempts to report vulnerabilities through Microsoft's Security Response Center were ignored or mishandled. This allegation sits at the heart of the dispute—if official channels failed, the reasoning goes, public disclosure became the only recourse. Some posts from Nightmare Eclipse suggest they may be a disgruntled former Microsoft employee, which adds another layer to the corporate-researcher tension.
Some of the exploits released have reportedly been used in real-world attacks shortly after their public disclosure. BlueHammer and RedSun target core Windows components that could affect crypto infrastructure, including mining operations and exchange backend systems.
Industry pushback and the chilling effect
Kevin Beaumont, a cybersecurity researcher and former Microsoft employee, called the situation a "dumpster fire" and pointed out that Microsoft has previously hired researchers who published similar exploits. Beaumont warned that Microsoft's legal threats could create a chilling effect on future vulnerability disclosures.
The concern is straightforward: if researchers face legal consequences for public disclosure, fewer will step forward with evidence of flaws. That silence doesn't make systems safer—it just means vulnerabilities stay hidden longer, giving malicious actors more time to exploit them. Reports of doxxing against Nightmare Eclipse have also surfaced on social media, though attribution remains unclear, adding personal safety concerns to the professional debate.
