GitLab Suspends Nightmare-Eclipse Following GitHub Ban Amid Controversial Zero-Day Disclosures
In a significant development within the cybersecurity community, the anonymous researcher known as Nightmare-Eclipse has faced consecutive suspensions from major code-hosting platforms GitHub and GitLab. These actions come in response to the researcher’s public release of zero-day exploits targeting Microsoft Windows Defender, raising critical questions about vulnerability disclosure practices and platform responsibilities.
GitHub Suspension
On May 23, 2026, GitHub, a Microsoft-owned platform, terminated Nightmare-Eclipse’s account. The researcher had been actively publishing proof-of-concept (PoC) exploit tools that exposed unpatched vulnerabilities in Windows Defender. These releases were part of a campaign initiated on April 2, 2026, expressing frustration over perceived inaction by Microsoft’s Security Response Center (MSRC) regarding responsible vulnerability disclosures.
GitLab Follows Suit
Shortly after the GitHub ban, on May 26, 2026, GitLab suspended Nightmare-Eclipse’s account. The researcher had used GitLab to mirror the previously published exploit tools, ensuring continued accessibility despite the GitHub suspension. This swift action by GitLab underscores the platform’s commitment to responsible disclosure practices and the mitigation of potential security risks.
Released Exploit Tools
Nightmare-Eclipse’s campaign brought to light several critical vulnerabilities in Windows Defender through the release of the following PoC tools:
– BlueHammer (CVE-2026-33825): This tool exploits a time-of-check to time-of-use (TOCTOU) race condition in Defender’s threat remediation engine, allowing attackers to escalate privileges to SYSTEM level. Microsoft addressed this vulnerability in the April 2026 Patch Tuesday update, and it was subsequently added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog on April 22.
– RedSun: By abusing Defender’s cloud file rollback mechanism, RedSun enables the execution of attacker-planted binaries with SYSTEM privileges. As of May 2026, this vulnerability remains unpatched, posing a significant risk to affected systems.
– UnDefend: This tool silently disrupts Defender’s signature update process without triggering health alerts, gradually degrading endpoint protection. Like RedSun, UnDefend remains unpatched, leaving systems vulnerable to potential exploitation.
Active Exploitation and Industry Response
Security firm Huntress Labs confirmed active exploitation of these tools as early as April 10, 2026. Threat actors were observed deploying the exploits under innocuous filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before leveraging the Defender vulnerabilities for privilege escalation.
Microsoft has indirectly criticized Nightmare-Eclipse for violating coordinated vulnerability disclosure best practices. While the company has patched some of the reported flaws, others remain unaddressed, highlighting the challenges in balancing prompt vulnerability disclosure with the need for comprehensive remediation.
Upcoming Disclosure Event
Despite the platform suspensions, Nightmare-Eclipse has announced a major disclosure event scheduled for July 14, 2026. The researcher has indicated that this date will be significant regardless of any prior patches, suggesting the potential release of additional exploit tools or vulnerability information.
Ethical Disclosure Debate
This case has intensified the ongoing debate over ethical disclosure timelines, platform accountability, and the appropriate actions researchers should take when vendors are unresponsive. While some argue that public disclosure pressures vendors to act swiftly, others contend that it exposes users to unnecessary risks, especially when patches are not yet available.
Conclusion
The consecutive suspensions of Nightmare-Eclipse by GitHub and GitLab reflect the complex dynamics between security researchers, software vendors, and platform providers. As the cybersecurity community grapples with these challenges, the need for clear guidelines and cooperative approaches to vulnerability disclosure becomes increasingly evident.
