GitHub banned the researcher dropping Windows zero-days. The code was already mirrored everywhere.

GitHub deleted the account behind a string of unpatched Windows exploits on May 23. By then the code was everywhere: forked, mirrored to rival hosts, and already trading on Telegram before the ban hit.

The researcher goes by Nightmare-Eclipse, and over six weeks they dropped six working exploits against Microsoft’s own operating system. GitHub, which Microsoft has owned since 2018, wiped the repositories. GitLab suspended the mirror days later. The takedown settled nothing. It reopened the oldest argument in security: who gets to decide what research can be hosted, and what happens when the host is owned by the company the research embarrasses?

What Nightmare-Eclipse actually shipped

The campaign started on April 2. According to Tom’s Hardware, the researcher released six zero-day exploits over roughly six weeks, each one a working tool rather than a write-up. The headline drops carried names: BlueHammer and RedSun, both local privilege-escalation exploits that hand an attacker SYSTEM access through Windows Defender, plus UnDefend, which targets the same endpoint stack. Then came YellowKey, which bypasses BitLocker disk encryption with files on a USB stick. We covered that BitLocker drop on its own when the PoC first landed on May 12.

Here’s the part that turns a disclosure spat into a real fight. Several of those exploits came under active attack in the wild. The Hacker News, citing Microsoft, reports BlueHammer, RedSun, and UnDefend have all been used against real targets. That’s the difference between dropping a patched bug to make a point and handing live ammunition to whoever’s watching.

The motive isn’t subtle. Eclipse says Microsoft’s Security Response Center sat on responsible reports, deleted their reporting account, and never paid the promised bounties. “I got zero pennies from doing so,” the researcher wrote, a jab at unpaid MSRC payouts. They aren’t framing this as research. They’re framing it as payback, and they’ve threatened more: a blog post marks July 14 as a date when, in their words, “I will make sure your bones are shattered.”

The policy GitHub is leaning on

GitHub’s defense rests on one document, and it’s worth reading the actual clause. The Active Malware or Exploits policy opens by protecting research:

GitHub allows dual-use content and supports the posting of content that is used for research into vulnerabilities, malware, or exploits, as the publication and distribution of such content has educational value and provides a net benefit to the security community.

So a PoC for a Windows flaw is, by default, allowed. The carve-out comes next. GitHub says it may step in “in rare cases of very widespread abuse of dual-use content” to “disrupt an ongoing unlawful attack or malware campaign” that turns the GitHub platform into “an exploit or malware CDN.” That phrase, “exploit or malware CDN,” is the whole ballgame. It’s narrow on purpose. It was written to mean the platform is the delivery mechanism for a live attack, not the platform hosts code we’d rather not see.

Did this case clear that bar? Maybe. With BlueHammer and friends under active exploitation, Microsoft can argue the repos were feeding live campaigns. Critics counter that the code was mirrored within hours, so removing GitHub’s copy disrupted nothing. When a takedown doesn’t stop the attack, it starts to look like the second reading: removing code the host’s parent company didn’t like.

Where the disclosure norms sit

Strip away the personalities and you’re left with a decades-old spectrum. On one end, full disclosure: publish everything immediately, on the theory that sunlight forces vendors to move and defenders deserve the same information attackers can buy. On the other, coordinated disclosure: tell the vendor privately, agree a window, ship the patch first. Almost nobody lives at the extremes anymore.

The de-facto industry clock comes from Google. Project Zero’s policy gives a vendor 90 days to patch, then publishes regardless, with a 30-day grace period after a fix ships. For bugs already exploited in the wild, that 90 days collapses to seven. CERT/CC, the neutral coordinator at Carnegie Mellon, defaults to 45 days. The Zero Day Initiative waits 120. The numbers differ, but every one of them shares a premise Nightmare-Eclipse skipped: give the vendor some window before you publish a weapon.

That’s the strongest case against what Eclipse did, and it doesn’t require taking Microsoft’s side. You can believe MSRC botched the reports, stiffed the bounties, and still deleted the reporting account, and also believe that dropping live, exploited zero-days with no patch in sight crosses a line the norms exist to hold. Grievance is real. It doesn’t make weaponized full-disclosure the right tool.

Microsoft’s position, and why it’s complicated

Microsoft came out swinging. The company told The Hacker News it “firmly” opposes uncoordinated disclosures and warned that publishing proof-of-concept code for unpatched flaws can have “real-world consequences” when it lands “in the hands of bad actors.” On its face, that’s the textbook coordinated-disclosure argument, and it’s not wrong.

The complication is structural. Microsoft owns GitHub. So the affected vendor, the disclosure-policy critic, and the platform that deleted the evidence are the same corporate entity. That’s the exact conflict that detonated in 2021, and security researchers have not forgotten it.

Not everyone buys Microsoft’s good-faith framing, either. Will Dormann, a vulnerability analyst at Tharros, put the rot at MSRC bluntly: “Microsoft used to be quite excellent to work with. But to save money, Microsoft fired the skilled people, leaving flowchart followers.” If the front door for responsible reports is broken, you get more people going out the window. That doesn’t excuse live exploit drops. It does explain the supply of angry researchers.

The precedent everyone keeps citing

This has happened before, almost beat for beat. In March 2021, a researcher posted a proof-of-concept for ProxyLogon, the critical Microsoft Exchange chain that was already patched. GitHub pulled it. The backlash was immediate. TrustedSec’s Dave Kennedy called it “huge, removing a security researchers’ code from GitHub against their own product and which has already been patched.” Project Zero’s Tavis Ormandy pushed back too: “It’s unfortunate that there’s no way to share research and tools with professionals without also sharing them with attackers, but many people (like me) believe the benefits outweigh the risks.”

The pressure worked. Three months later GitHub rewrote the policy, adding explicit protection for dual-use research, an appeals process, and the narrow “exploit CDN” standard it’s now invoking. “We assume positive intention,” the company wrote at the time. The 2026 case is the first real stress test of that 2021 language, and the difference matters: ProxyLogon was patched, hosted by a third party, and not under active exploitation. Eclipse’s drops were none of those things. That gap is why this ban is defensible in a way the 2021 one wasn’t, even if the optics are identical.

Why you’re hearing about this now

The story hit Hacker News because it compresses four anxieties into one incident: a vendor with a broken disclosure pipeline, a researcher weaponizing that failure, a platform that can’t be neutral because it’s owned by the vendor, and a Streisand effect that made the takedown pointless. The code is forked, mirrored, and trading on Telegram. GitHub bought nothing but a news cycle.

My read: the ban was within policy, and it still made things worse. The repos likely did meet the “active exploitation” bar, so GitHub had cover. But the same parent company can’t credibly run the registry, set the disclosure norms, and write the bounty checks, then delete the code and expect the security world to call it neutral enforcement. The structural conflict is the actual bug here, and no acceptable-use clause patches it.

If you run a security program, watch what Microsoft does next. Not the statement. The MSRC fix, the bounty backlog, and whether July 14 brings a write-up or an RCE. The platform fight is loud. The disclosure pipeline that produced this researcher is the thing that’s still broken.