Microsoft’s blog on Wednesday detailed six Windows zero‑days—RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma and MiniPlasma—released by the researcher known as Nightmare Eclipse. The hacker, who previously disclosed six exploits, threatened a “bone‑shattering” drop on July 14. Microsoft says none were submitted through its official channels before publication. Proof‑of‑concept exploits for BlueHammer, RedSun and UnDefend were posted to banned GitHub and GitLab accounts shortly after disclosure.

Microsoft’s response condemned uncoordinated disclosure, warning that publishing exploit code endangers customers and invites legal action. The company’s Digital Crimes Unit pledged to pursue cases against actors who weaponize such flaws, while noting that exploitation of YellowKey (CVE‑2026‑45585) appears likely. No patches exist for YellowKey, GreenPlasma or MiniPlasma, leaving enterprise systems exposed.

Industry veterans criticize Microsoft’s handling. ZDI chief Dustin Childs called the public accusation “bold” and said the firm failed to share correspondence, while Luta Security founder Katie Moussouris called the blog’s language “mixed messages” that could chill future researchers. The saga illustrates how a narrow patch window—now measured in hours—can amplify damage from a single zero‑day.