RSS

Microsoft 0-day feud escalates as researcher threatens another exploit dump

Cider99863 pts0 comments

Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump

Jump to main content

Search

REG AD

Security

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

Six 0-days, three under active exploitation, more to come on July 14?

Jessica Lyons

Jessica<br>Lyons

Published<br>thu 28 May 2026 // 21:19 UTC

The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14.<br>Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public.<br>Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts.

REG AD

MORE CONTEXT

Mystery Microsoft bug leaker keeps the zero-days coming

Microsoft's massive Patch Tuesday: It's raining bugs

Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits

Microsoft promises more bug payouts, with or without a bounty program

YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC.

REG AD

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare:<br>“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”<br>Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant.<br>Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that.<br>“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

Mark this date July 14th, I will make sure your bones are shattered that day

Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.”<br>Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn.<br>“One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”

REG AD

Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point.<br>“CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”<br>Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.”<br>Microsoft's 'dumpster fire'<br>Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said...

microsoft nightmare bugs researcher windows security

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

Naphtha Shortages Having a Growing Impact in Japan

takakaze13 ptsnaphtha packaging products shortages calbee from
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.