The Nightmare-Eclipse Disclosure Conflict: Timeline and Context
## Overview
The Nightmare-Eclipse situation became a fast-moving disclosure dispute that pulled Microsoft, multiple security researchers, and the broader vulnerability community into the same widening conflict. What began as a set of public technical drops quickly turned into a dispute over trust, process, retaliation, and the limits of coordinated disclosure.
This timeline follows the public record from late March through June 1, 2026. It focuses on the sequence of disclosures, the reactions from Microsoft, the escalation across platforms, and the way the controversy spread beyond the original technical issues.
## March 26, 2026: The first public post
The earliest public post associated with Nightmare-Eclipse appeared on March 26, 2026, under the blunt title “I never wanted to do this.” The author reopened a blog and created a fresh GitHub account specifically to publish code, framing the move as forced rather than voluntary.
The tone of the post was openly hostile and carried a strong sense of grievance. It suggested that some prior agreement had been broken, leaving the author with no meaningful alternative. That framing matters because it places the origin of the conflict before the technical disclosures themselves.
From the start, the dispute looked less like a routine vulnerability report and more like the breakdown of a relationship. The post implied that one side had crossed a line, and that the disclosures were a response to that breach.
## April 2, 2026: Verification and first disclosure
On April 2, two important posts appeared. First, a public PGP key was released so that future posts and files could be authenticated. That step signaled that the author intended to publish material that should be verifiable as coming directly from them.
Later the same day came the first real disclosure: “Public disclosure” tied to BlueHammer. The post linked to a GitHub repository and presented the release as a direct challenge to Microsoft. The wording was deliberately confrontational, including a sarcastic reference to Microsoft Security Response Center leadership.
This was the moment the situation moved from grievance to active disclosure. The PGP key gave the posts a layer of authenticity, but it also gave the entire campaign a more formal and persistent structure.
## April 12, 2026: UnDefend appears
A second tool, called “Funny DOS tool” and associated with UnDefend, was published on April 12 in another signed post. The author described it as a “0day (kinda)” and claimed Microsoft would eventually mitigate it, but only as a lower priority.
The post argued that the machine could be turned into “basically a hole” because anyone with administrator privileges could run arbitrary code, while Windows Defender would not be able to do much about it. The message was clear: the tool was presented as a practical defensive bypass rather than a theoretical proof.
The release reinforced the author’s willingness to publish multiple tools in rapid succession. By this stage, the disclosures were no longer isolated incidents but part of a sustained pattern.
## April 15, 2026: RedSun and the response to CVE-2026-33825
On April 15, Nightmare-Eclipse published another signed post titled “Public disclosure, a response for CVE-2026-33825 patch,” which introduced the RedSun repository. Much of the post directly attacked Microsoft’s response to BlueHammer and rejected what the author saw as generic dismissal.
The post also repeated a set of serious accusations about how Microsoft had handled prior contact. It claimed a case had been filed and dismissed, and alleged that the author had been told their life would be ruined. The message painted Microsoft not as a neutral recipient of reports, but as an institution that actively punishes researchers.
The post ended with a threat to keep escalating by publishing more severe issues. That shifted the conflict further away from disclosure and toward open confrontation.
## April 25, 2026: The dead man’s switch
A signed post titled “Remember this…” appeared on April 25 and changed the tone of the situation again. The author introduced the idea of a dead man’s switch, warning that if Microsoft continued along a certain path, a pre-armed release would activate automatically.
The post claimed the switch had already been active before the current dispute began. It also suggested that the material would be difficult and time-consuming to patch, and that it had been placed somewhere other than the author’s physical location.
This was more than posturing. It reframed the conflict as one of leverage, where the mere possibility of release was meant to influence Microsoft’s behavior.
## May 12–15, 2026: YellowKey, GreenPlasma, and MiniPlasma
By May 12, the situation had escalated again with “Two more public disclosures,” introducing YellowKey and GreenPlasma. The author claimed Defender had been intentionally spared during this release, while also warning that Microsoft would clamp down if a specific component was attacked too often.
The next day, the author posted a note about Microsoft silently patching RedSun without issuing a CVE or public advisory. That silence was treated as unacceptable, especially if the vulnerability had been under active exploitation. The same post also discussed YellowKey and claimed that TPM plus PIN protection would not stop it, although proof for that was being withheld.
On May 14, the author relayed findings from other researchers about YellowKey and GreenPlasma. YellowKey was said to involve a binary named autofstx.exe, while GreenPlasma was described as a technique involving writes to a protected registry key on patched Windows systems. The post acknowledged that not every claim had been independently verified.
On May 15, another signed post introduced MiniPlasma, described as a powerful local privilege escalation. The author said they found it by accident and claimed it worked on fully patched Windows 11 and Windows Server 2025, producing a SYSTEM shell. This connected directly to the earlier discussion of an old CVE-2020-17103 path that appeared to remain relevant.
## May 17, 2026 : NSA backdoor
A critical, unpatched Windows 11 BitLocker zero-day named "YellowKey" has been leaked online. It is believed to be an NSA/TAO backdoor.
Released by researcher Nightmare-Eclipse, the exploit allows anyone with physical access to bypass default TPM-only encryption via a USB drive. By targeting an obscure "FsTx" framework hidden inside the Windows Recovery Environment (WinRE), attackers gain full read/write drive access. Microsoft has no patch yet. Defenders should immediately run reagentc /disable in CMD to kill WinRE.
https://x.com/officialrnintel/status/2055811768027427195
## May 20, 2026: CVE-2026-45585 and the wiped MSRC account
Microsoft’s advisory for CVE-2026-45585 prompted a new response on May 20. In “Dear Microsoft,” Nightmare-Eclipse objected to Microsoft’s claim that the public release violated coordinated vulnerability best practices.
The post argued that this language damaged the author’s personal reputation and did not resolve the underlying conflict. It also introduced a new allegation: that Microsoft had revoked and completely wiped the MSRC account used to report vulnerabilities. According to the author, repeated requests for clarification had gone unanswered.
This was a key turning point because it linked a specific Microsoft advisory to the account action. The dispute was no longer just about disclosure style; it was also about access, identity, and retaliation.
## May 23–26, 2026: The deadline and the bans
On May 23, Nightmare-Eclipse published “July 14th,” which read like an ultimatum. The post accused Microsoft of refusing to communicate, of defaming the author through the CVE-2026-45585 advisory, and of flagging and wiping the GitHub account.
The author declared that July 14 would matter and implied that something serious would happen then. They also announced a move to GitLab and mapped specific CVEs to project names, identifying CVE-2026-45498 as UnDefend and CVE-2026-41091 as RedSun.
The GitHub account was removed on May 24, and the public reaction was immediate. For many observers, the ban became a symbolic moment, and some interpreted it as a move that increased sympathy for the researcher rather than reducing risk.
Three days later, on May 26, the GitLab account was also banned. That left the author without access to the two major code-hosting platforms they had just used, and it intensified uncertainty about where any future release would land.
## May 27–29, 2026: Microsoft responds, then Bitskrieg appears
On May 27, Microsoft published an official response titled “A shared responsibility: Protecting customers through Coordinated Vulnerability Disclosure.” The post said several zero-days had been publicly disclosed without first being shared with Microsoft, and it named the project set directly: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma.
Microsoft framed coordinated disclosure as the expected industry norm and warned that its Digital Crimes Unit would continue pursuing cases against actors and enablers of criminal activity. At the same time, the company said it still welcomed future submissions, even from researchers with prior disputes or reputations.
On May 28, Nightmare-Eclipse posted only the number 7 above an image of Albert Wesker. The post contained no signature or explanation, which made it stand out sharply from the earlier long, formal disclosures.
The next day, “Announcing Bitskrieg” appeared. The post said several researchers had contributed vulnerabilities, credited JonasLyk with most of the work, and claimed the group had found a way to violate Secure Boot trust. The author was careful to say it was not a full Secure Boot bypass, but they also claimed it fully bypassed BitLocker and could possibly affect confidential VMs.
Bitskrieg marked a major expansion in scope. The conflict now looked less like a single researcher versus Microsoft and more like a broader, semi-coordinated security campaign with visible outside support.
## May 30–31, 2026: Broader community fallout
By May 30, the controversy had spread well beyond the original posts. It was circulating across Reddit, X, cybersecurity blogs, reverse-engineering communities, and international security circles.
The discussion increasingly moved away from the vulnerabilities themselves and toward the larger process questions. People were debating whether coordinated disclosure was functioning properly, how researchers should be treated, and whether Microsoft’s response had escalated the situation unnecessarily.
By May 31, the situation was still unresolved. Bitskrieg had not yet been released, but it remained expected during June. The community was watching closely, and the tone of the discussion had become polarized.
That same day, criticism of supporters started to surface as well. Some observers dismissed the whole episode as theatrical, while others defended the disclosures and argued that tone should not obscure the underlying technical claims.
## June 1, 2026: Microsoft softens its position
In the early hours of June 1, Microsoft Security Response Center posted a second public statement on X. Compared with the earlier blog post, the tone was noticeably softer and more measured.
The statement said Microsoft had no intention of pursuing action against individuals conducting or publishing security research. It drew a distinction between research and criminal activity, saying law enforcement would only be involved where someone broke the law and caused real harm.
Microsoft also acknowledged that some interactions had fallen short and said it was working to learn from them. The company pointed to the growing volume of reports and the rise of AI-assisted research, while also emphasizing that many on the team had security research backgrounds themselves.
For many readers, this sounded like a partial reset. It did not resolve the controversy, but it did step back from the more aggressive posture that had fueled so much of the backlash.
## June 9, 2026:Nightmare Eclipse just dropped RoguePlanet, a new Windows Defender local privilege escalation 0day PoC.
NE suspects the BitLocker bypass may still work but isn't certain.
He has a new GitHub btw, let's see how long the account will last: https://github.com/MSNightmare/RoguePlanet
https://x.com/IntCyberDigest/status/2064467119400526027
## What this means
The Nightmare-Eclipse conflict is no longer just a sequence of disclosures. It has become a case study in how quickly vulnerability handling, public messaging, and platform enforcement can turn a technical issue into a broader legitimacy crisis.
For cybersecurity researchers, the core lesson is not only about the bugs themselves. It is also about how trust can collapse when disclosure channels fail, how public threats can reshape incentives, and how platform bans can intensify rather than contain conflict. The situation still appears active, and the expected June release of Bitskrieg remains one of the most closely watched developments.
need help?
Fill out this form