From White‑Hat to Banned Outlaw: The Rapid Fall of a Security Researcher

1. Timeline: From “Legitimate White‑Hat” to Platform Outcast

Nightmare‑Eclipse, an anonymous researcher with a legitimate MSRC account, after repeated ignored reports and account deletion, publicly released a Windows 0‑day PoC (BlueHammer) on his blog and GitHub on 2 April 2026. Microsoft patched the vulnerability (CVE‑2026‑33825) on 14 April, and CISA listed it as a known exploited vulnerability.

1.2 The “Pandora Box” Opens

Two days later the researcher released additional PoCs (RedSun, UnDefend) and over the following weeks disclosed further 0‑day exploits such as YellowKey, GreenPlasma, MiniPlasma, totaling at least six active vulnerabilities before GitHub fully banned his accounts.

Cynet’s analysis describes the BlueHammer attack chain as “elegant”, leveraging Windows Defender’s update mechanism, VSS, and Cloud Files API trust, using a TOCTOU race to read the SAM database and extract NTLM hashes without dropping new malicious files, evading static analysis and behavior‑based detection.

1.3 From GitHub to GitLab: Nowhere to Hide

Around 24 May GitHub permanently banned the accounts for violating terms of service. The researcher quickly opened a new GitLab account on 25 May, which was also banned shortly thereafter without an appeal opportunity. In his final blog post he threatened Microsoft with a “July 14 deadline”.

2. Why GitLab Followed Suit

Both platforms’ terms prohibit hosting malicious or unauthorised attack code. In addition, upstream pressure from companies like Microsoft, which can exert legal pressure, and GitLab’s automated “git abuse rate limit” system that flags abnormal download or clone activity, can trigger bans without manual review.

3. The Debate: Who’s at Fault?

Pro‑ban view

Supporters argue the ban is lenient; some suggest GitHub could have pursued criminal prosecution. Microsoft states that publishing PoC code violates coordinated vulnerability disclosure (CVD) best practices. Reports indicate that the PoCs have been weaponised by hacking groups.

Anti‑ban view

Security experts such as Dustin Childs (Trend Micro ZDI) criticize MSRC’s poor communication, noting that many researchers abandon reporting to Microsoft. Media outlets like Dark Reading and CSO Online highlight systemic failures in Microsoft’s vulnerability response and the breakdown of responsible‑disclosure incentives.

The researcher’s perspective

Account deletion and “vanishing” reports left his submissions unaddressed.

Microsoft’s CVE‑2026‑45585 announcement labelled his actions as a breach of coordinated disclosure, which he saw as personal defamation.

His threats escalated beyond normal dispute.

4. Why the Disclosure Mechanism Failed

The incident reflects a systemic collapse of incentive structures and communication channels. MSRC’s slow response erodes trust, while platforms, lacking the mandate to adjudicate disputes, opt for risk‑avoidance by removing potentially weaponised exploit code.

The community’s split—some heroising the researcher, others condemning the public release—creates a negative signal for overall security posture.

5. Conclusion

Microsoft lost a potential ally, GitHub and GitLab lost a user, and the ecosystem now faces six leaked 0‑day exploits and a widening trust gap. When coordinated‑disclosure incentives turn into retaliation tools, no party wins.