Microsoft, GitHub, and GitLab gang up to erase a security researcher

Independent researcher Nightmare-Eclipse (also known as Dead Eclipse) found themselves in the crosshairs after publishing a series of PoC exploits targeting Microsoft software. The researcher dropped six major vulnerabilities, including BlueHammer, which bypassed Windows Defender, and YellowKey, which cracked BitLocker wide open. These weren't just theoretical musings; they were functional pathways to gaining SYSTEM-level access, essentially handing keys to the kingdom to anyone with a USB drive.

Instead of addressing the flaws, Microsoft’s MSRC allegedly stonewalled the researcher, ignored bug reports, and eventually threatened legal action. Nightmare-Eclipse claims the company turned personal, threatening to ruin their reputation after being accused of violating disclosure policies. The researcher, who seemingly has enough deep-kernel knowledge to rival an ex-employee, decided to go scorched-earth, promising a massive data dump on July 14, 2026.

The tech industry's 'neutral' platforms were quick to follow orders. GitHub banned the researcher’s account and purged their repositories, and GitLab followed suit just days later. Experts like William Dormann suggest this reflects a decline in MSRC’s quality, pointing to staff cuts that replaced veteran security engineers with bureaucratic checklist-followers.

The move to silence a researcher while the vulnerabilities remain active is a bold strategy in the game of corporate liability. It highlights a system where the convenience of a clean PR cycle is valued significantly higher than the actual security of the millions of users relying on Windows every day.

Source: Tom's Hardware