CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 27, 2026

GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban

Cybersecurity News Archived May 27, 2026 ✓ Full text saved

The anonymous researcher known as Nightmare-Eclipse has been blocked from two major code-hosting platforms in less than a week, as their disruptive public zero-day campaign against Microsoft draws serious real-world consequences. GitLab moved to suspend the account of security researcher Nightmare-Eclipse on May 26, 2026, just days after GitHub, owned by Microsoft, terminated the researcher’s […] The post GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban appeared firs

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban By Guru Baran May 27, 2026 The anonymous researcher known as Nightmare-Eclipse has been blocked from two major code-hosting platforms in less than a week, as their disruptive public zero-day campaign against Microsoft draws serious real-world consequences. GitLab moved to suspend the account of security researcher Nightmare-Eclipse on May 26, 2026, just days after GitHub, owned by Microsoft, terminated the researcher’s account around May 23. The GitLab page had served as a rapid mirror of the six Windows Defender exploit tools previously hosted on GitHub, extending the researcher’s reach even after the initial ban. The researcher’s campaign began on April 2, 2026, driven by open frustration over Microsoft’s Security Response Center (MSRC) allegedly failing to act adequately on responsible disclosures. Over the following weeks, Nightmare-Eclipse released three headline-grabbing proof-of-concept (PoC) tools — BlueHammer, RedSun, and UnDefend that directly target Windows Defender. BlueHammer (CVE-2026-33825): A TOCTOU race condition (CVSS 7.8) in Defender’s threat remediation engine enabling SYSTEM-level privilege escalation; patched in Microsoft’s April 2026 Patch Tuesday update and added to CISA’s Known Exploited Vulnerabilities catalog on April 22. RedSun: Abuses Defender’s cloud file rollback mechanism to execute attacker-planted binaries as SYSTEM; remains unpatched as of May 2026. UnDefend: Silently freezes Defender’s signature update pipeline without triggering health alerts, degrading endpoint protection over time; also unpatched. Huntress Labs confirmed active exploitation of all three tools as early as April 10, 2026. Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation. Microsoft indirectly accused the researcher of violating coordinated vulnerability disclosure best practices, while patching some but not all of the reported flaws. Nightmare-Eclipse, who also maintains a Blogspot blog, has now publicly announced a major disclosure event targeting July 14, 2026, warning that the date will be significant regardless of prior patches. The case intensifies the long-running debate over ethical disclosure timelines, platform accountability, and what researchers should do when vendors go silent. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Fake Invitation Phishing Campaign Targets U.S. Organizations With Credential Theft LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access Trapdoor Android Ad Fraud Operation Uses 455 Malicious Apps to Generate Fake Clicks BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites NightSpire Ransomware Uses RDP Access and Remote Admin Tools for Stealthy Persistence Latest News Cyber Security News BIND 9 Software Vulnerabilities Exposes Resolvers and Authoritative Servers to Remote Exploits Cyber Security News India’s CERT-In Asks Organizations to Patch Vulnerabilities in Systems Within 12 hours Cyber Security Anthropic Releases Free Security Plugin for Claude Code Terminal to Detect Vulnerabilities Cyber Security News Multiple Angular Language Service Extension Vulnerabilities Enable RCE Attacks ANY.RUN How Tier 1 Can Process Alerts 3x Faster with Threat Intelligence
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 27, 2026
    Archived
    May 27, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗