{"id":13175,"date":"2026-05-27T10:03:46","date_gmt":"2026-05-27T10:03:46","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/27\/gitlab-suspends-windows-exploit-researcher-nightmare-eclipse-after-github-ban\/"},"modified":"2026-05-27T10:03:46","modified_gmt":"2026-05-27T10:03:46","slug":"gitlab-suspends-windows-exploit-researcher-nightmare-eclipse-after-github-ban","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/27\/gitlab-suspends-windows-exploit-researcher-nightmare-eclipse-after-github-ban\/","title":{"rendered":"GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban"},"content":{"rendered":"<p>    GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">The anonymous researcher known as Nightmare-Eclipse has been blocked from two major code-hosting platforms in less than a week, as their disruptive public zero-day campaign against Microsoft draws serious real-world consequences.<\/p>\n<p class=\"wp-block-paragraph\">GitLab moved to suspend the account of security researcher Nightmare-Eclipse on May 26, 2026, just days after GitHub, owned by Microsoft, terminated the researcher\u2019s account around May 23.<\/p>\n<p class=\"wp-block-paragraph\">The GitLab page had served as a rapid mirror of the six Windows Defender exploit tools previously hosted on GitHub, extending the researcher\u2019s reach even after the initial ban.<\/p>\n<p class=\"wp-block-paragraph\">The researcher\u2019s campaign began on April 2, 2026, driven by open frustration over Microsoft\u2019s Security Response Center (MSRC) allegedly failing to act adequately on responsible disclosures.<\/p>\n<p class=\"wp-block-paragraph\">Over the following weeks, Nightmare-Eclipse released three headline-grabbing proof-of-concept (PoC) tools \u2014 BlueHammer, RedSun, and UnDefend that directly target Windows Defender.<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong><a href=\"https:\/\/cybersecuritynews.com\/bluehammer-poc-for-windows-defender\/\" target=\"_blank\" rel=\"noreferrer noopener\">BlueHammer (CVE-2026-33825)<\/a>:<\/strong> A TOCTOU race condition (CVSS 7.8) in Defender\u2019s threat remediation engine enabling SYSTEM-level privilege escalation; patched in Microsoft\u2019s April 2026 Patch Tuesday update and added to CISA\u2019s Known Exploited Vulnerabilities catalog on April 22.<\/li>\n<li>\n<strong><a href=\"https:\/\/cybersecuritynews.com\/defender-0-day-redsun\/\" target=\"_blank\" rel=\"noreferrer noopener\">RedSun<\/a>:<\/strong> Abuses Defender\u2019s cloud file rollback mechanism to execute attacker-planted binaries as SYSTEM; remains unpatched as of May 2026.<\/li>\n<li>\n<strong><a href=\"https:\/\/cybersecuritynews.com\/windows-defender-0-day-vulnerability-exploited\/\" target=\"_blank\" rel=\"noreferrer noopener\">UnDefend<\/a>:<\/strong> Silently freezes Defender\u2019s signature update pipeline without triggering health alerts, degrading endpoint protection over time; also unpatched.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">Huntress Labs confirmed active exploitation of all three tools as early as April 10, 2026. Threat actors were observed deploying the tools under disguised filenames such as FunnyApp.exe, gaining initial access through compromised FortiGate VPN credentials before pivoting to Defender exploits for privilege escalation.<\/p>\n<p class=\"wp-block-paragraph\">Microsoft indirectly accused the researcher of violating coordinated vulnerability disclosure best practices, while patching some but not all of the reported flaws.<\/p>\n<p class=\"wp-block-paragraph\">Nightmare-Eclipse, who also maintains a Blogspot blog, has now publicly announced a major disclosure event targeting July 14, 2026, warning that the date will be significant regardless of prior patches.<\/p>\n<p class=\"wp-block-paragraph\">The case intensifies the long-running debate over ethical disclosure timelines, platform accountability, and what researchers should do when vendors go silent.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/windows-exploit-researcher-suspended\/\">GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/windows-exploit-researcher-suspended\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GitLab Suspends Windows Exploit Researcher Nightmare-Eclipse After GitHub Ban The anonymous researcher known as Nightmare-Eclipse has been blocked from two major code-hosting platforms in less than a week, as their disruptive public zero-day campaign against Microsoft draws serious real-world consequences. GitLab moved to suspend the account of security researcher Nightmare-Eclipse on May 26, 2026, just [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-13175","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13175"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13175"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13175\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}