A prolific Windows vulnerability researcher operating under the alias Nightmare Eclipse was banned from GitHub on May 23, 2026, after publishing weaponized exploit code for multiple zero-day flaws in Microsoft’s operating system. GitLab followed suit on May 26-27, removing the researcher’s repositories and accounts. The bans, which occurred within days of each other, have reignited debate over responsible disclosure and platform policies on hosting proof-of-concept exploits. Nightmare Eclipse, alternately known as Chaotic Eclipse and Dead Eclipse, had uploaded fully functional proof-of-concept code for at least two critical elevation-of-privilege vulnerabilities affecting all supported Windows versions, including Windows 11 and Windows Server 2025.

Microsoft has not yet released official patches for the flaws, leaving millions of systems exposed. The company acknowledged the vulnerabilities on May 24, assigning them severity ratings of Important and Critical, and confirmed it is working on a fix for the next Patch Tuesday cycle. Until then, the exploits remain usable against fully patched machines, and Microsoft Defender’s detection coverage is incomplete.

Who is Nightmare Eclipse?

Nightmare Eclipse is a pseudonymous security researcher with a track record of discovering kernel-level bugs in Windows. The person (or group) behind the handle has been active since at least 2022, often disclosing flaws on Twitter and exploit-sharing platforms. They previously used the aliases Chaotic Eclipse and Dead Eclipse, along with several other GitHub accounts that were suspended for similar violations in the past. The researcher is known for a confrontational style, frequently criticizing Microsoft’s patching speed and the security community’s norms around coordinated disclosure.

In late 2025, Nightmare Eclipse published a series of zero-day proof-of-concepts for local privilege escalation, bypassing Windows Defender’s exploit protections. At the time, Microsoft released out-of-band patches within a week. This time, the researcher posted multiple exploits simultaneously, including a remote code execution chain that combined a script injection flaw with the elevation-of-privilege bugs to achieve SYSTEM access over the network.

The uploaded exploits

The repositories removed from GitHub contained:

  • CVE-2026-XXXXX — a kernel pool corruption in the Windows Ancillary Function Driver for Winsock (AFD.sys) allowing low-privileged code to gain SYSTEM rights. This bug had been silently fixed by Microsoft in a preview build but was left unpatched in production for four months.
  • CVE-2026-YYYYY — an arbitrary file write vulnerability in the Windows Error Reporting service that allowed overwriting critical system files with attacker-controlled content, leading to code execution as LOCAL SYSTEM.
  • A chained exploit combining both bugs with a third, previously unknown flaw in the Windows Script Host to achieve remote code execution without user interaction on Windows 11 version 24H2 and later.

The exploits were fully weaponized, meaning they included reliable methods to overcome operating system mitigations such as Control Flow Guard, Kernel Address Space Layout Randomization (KASLR), and Supervisor Mode Execution Prevention (SMEP). Nightmare Eclipse claimed the code \"works on every Windows machine released since 2020\" and could be adapted to bypass Windows Defender with minor changes.

Platform bans

GitHub’s acceptable use policies prohibit “active malware or exploits,” which includes functional code designed to harm systems. On May 23, GitHub’s security team took down the main Nightmare Eclipse repository and suspended the account. In a brief notice, GitHub stated that the content violated its terms of service and that sharing full weaponized exploits without coordination with the vendor is not permitted. The researcher quickly moved to GitLab, creating a new project under a different alias. Within 72 hours—by May 26-27—GitLab also removed the project and suspended the account, citing similar community guidelines.

The bans triggered a Streisand effect: the exploit code had already been forked, mirrored on other code-hosting platforms, and shared widely via Telegram channels and dark web forums. Security researchers who had downloaded the repos before the takedowns confirmed the exploits worked as described.

Microsoft’s response and patch timeline

On May 24, Microsoft published Security Advisory ADV2026-001, acknowledging the vulnerabilities and confirming they affect all supported versions of Windows, including Windows 10, Windows 11, and Windows Server. The advisory promised patches for the next cumulative update, scheduled for June 9, 2026 — the regular Patch Tuesday. Microsoft did not commit to an out-of-band release, citing that the flaws require local access or an authenticated remote vector, which reduces immediate risk.

However, security practitioners disagree with this assessment. The chained exploit demonstrated by Nightmare Eclipse can be triggered remotely via crafted Office documents or malicious SMB shares, making it feasible for ransomware actors to deploy. Several independent labs have reproduced the attack and confirmed it bypasses Microsoft Defender’s real-time protection when the exploit is slightly obfuscated.

Microsoft Defender risk

Microsoft Defender for Endpoint includes detection rules for common exploit techniques, but initial tests showed that the Nightmare Eclipse payloads evaded static signature detection. Microsoft updated Defender signatures on May 25 to cover the original Proof-of-Concept files, yet modified versions—produced by changing variable names and recompiling—continue to slip past. The attack surface reduction rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” can block unknown binaries, but this rule is not enabled by default in most organizations.

CrowdStrike Falcon and SentinelOne both detected the exploit attempts heuristically on the same day of release, illustrating the gap between Microsoft’s first-party protection and third-party endpoint detection and response (EDR) solutions. Security teams reliant solely on Defender are advised to enable cloud-delivered protection, block suspicious macros, and restrict local administrative privileges until Microsoft releases a comprehensive patch.

Community reaction and broader impact

The incident has split the security community. Some researchers argue that platform bans on exploit code are counterproductive, pushing dangerous code into less-visible dark web channels where it is more likely to be used by criminals. Others maintain that publicly sharing weaponized exploits without giving the vendor time to prepare a fix is reckless, putting millions of users at risk overnight.

On Twitter, security experts noted that Nightmare Eclipse had previously extorted small bounties from software vendors by threatening public disclosure—a practice sometimes called “bug poaching.” This raises ethical questions about the researcher’s motives and whether the bans are justified.

Enterprises are scrambling to assess exposure. The AFD.sys bug affects any system that uses Windows Internet Name Service (WINS) or has the “Function Discovery Provider Host” service running—which is the default on desktop editions. The error reporting bug is even more pervasive, as the Windows Error Reporting service is critical and cannot be disabled without breaking application crash handling. Temporary mitigations include blocking outbound SMB traffic, disabling the WINS service where not needed, and using AppLocker to restrict untrusted executables.

What happens next?

Microsoft is expected to deliver patches on June 9. The company rarely releases emergency fixes for local privilege escalations, even when exploit code is public. In the meantime, the Cybersecurity and Infrastructure Security Agency (CISA) may add the vulnerabilities to the Known Exploited Vulnerabilities catalog, forcing U.S. federal agencies to apply mitigations within a strict deadline.

Nightmare Eclipse remains active on Twitter, promising further releases and taunting bug bounty programs that “pay peanuts for kernel bugs.” It is plausible that the researcher will resurface on other platforms, continuing the cycle of disclosure and ban.

For defenders, the immediate lesson is clear: relying on a single security product is insufficient, and timely patching must be complemented by defense-in-depth strategies. Organizations using Microsoft Defender should urgently review their configuration and augment it with threat intelligence feeds capable of detecting exploit patterns that signatures alone miss.

The coming weeks will test Microsoft’s ability to restore trust. The company’s handling of this disclosure—and whether it accelerates the patching timeline—will set a precedent for future interactions with independent researchers who choose to bypass coordinated vulnerability disclosure programs.