The controversial security researcher known as Nightmare-Eclipse, who has been persistently releasing unpatched Windows zero-days as a vendetta against Microsoft, has been booted from GitLab just days after migrating from GitHub.
Nightmare-Eclipse, a rogue security researcher who released 6 Windows exploits in 6 weeks, has once again found themselves with no place to host their code.
GitLab, where the vigilante migrated after GitHub had terminated their account on May 23rd, shut the door on May 26th. The account page reads that “This user is blocked.” Both platforms also wiped all the published repositories.
Nightmare-Eclipse rose to prominence following public disclosures of working critical Windows exploits, giving attackers full SYSTEM access or bypassing BitLocker encryption on fully patched systems.
Some even compared the researcher to a real-life Mr. Robot, a fictional hacker from a popular series, waging cyberwar against a corporate giant.
Nightmare-Eclipse hasn’t responded to the ban yet, but it’s unlikely to become a major setback. The hacker has previously threatened further releases.
The successive bans may have achieved the opposite of the intended effect. Within hours, multiple other users shared clones of the exploits across other platforms.
Nightmare-Eclipse is becoming a folk hero among security researchers and others who feel that tech companies often mistreat those who disclose vulnerabilities.
Major code-hosting platforms have also sent a clear message that anyone posting unpatched exploits publicly will likely lose access, which may dissuade some users from choosing major platforms and push them into less regulated corners of the internet.
Who is Nightmare-Eclipse, and what have they done so far?
The vigilante’s real identity remains unknown. They have been posting working proof-of-concept Windows exploits as a protest against alleged Microsoft mishandling of their previous agreement, which left them “homeless with nothing.” The individual feels stabbed in the back.
They have already published 6 public exploits loosely following a single naming convention, combining a color and an object. The exploits include the following:
- BlueHammer: A Windows Defender local privilege escalation exploit that allowed attackers to run the included FunnyApp.exe, or compile their own version, and gain a Windows SYSTEM shell.
- RedSun: A similar exploit that was released immediately after Microsoft patched the first vulnerability, which also grants SYSTEM privileges.
- UnDefend: A Windows Defender disruption tool for stopping definition updates and causing denial of service. Defender can’t detect new threats while the system appears healthy.
- YellowKey: the “most insane” exploit, which completely bypasses BitLocker encryption using a USB stick.
- GreenPlasma: An incomplete privilege escalation vulnerability expanding beyond Defender flaws. It targets the CTFMON process, responsible for text input features and running as SYSTEM.
- MiniPlasma: another privilege escalation tool spawning SYSTEM shell. However, it exploits a 6-year-old flaw, originally identified by Google Project Zero, that hasn’t been patched, or the patch was rolled back.
All 6 exploits were released in a 6-week period from April 3rd, 2026. Network defenders already observed tools being used in real-world intrusions.
Following the GitHub ban, Nightmare Eclipse threatened further release of “documents soon” and suggested marking July 14th, 2026, as a possible next event date.
Have thoughts about this topic? Others do, too. Join them in the discussion.
“I will make sure your bones are shattered that day,” the researcher posted on their blog.
The researcher also previously claimed to have deployed a “Dead man’s switch,” a mechanism that would likely automatically release additional exploits if something were to happen.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked