Now, I know most of my videos about

Microsoft tend to be a little bit more

nitpicky uh or making fun of a

situation. Like, look at this graph

right here. You see how it starts off at

pretty much zero and then just in the

last year completely exploding. Well,

what is this graph? Well, this is the

Google trends for GitHub alternatives.

Normally, I'd make a video and we'd all

GitHub what? Oh, they suck. But this

time, this video it's a little

different. Okay, I want you to take a

look at this picture. I know, anime

waifu. Some of you pretty excited. Calm

down. This is not an exciting topic.

Okay, this picture right here is nothing

but distilled fear for Microsoft. For

you, probably something different.

Distilled something completely

different. But for Microsoft, absolutely

the most terrifying image they've seen

in years. Now, if you're not chronically

online and I'm your new source, which a

lot of you say that, uh, if that's the

case, then this image, you're probably

going, "Well, what what's so scary?

What's so scary about a little anime

waifu?" is we all know what happens when

you see an anime waifu, right? Either

whatever's coming up next is going to be

just singlehandedly the dumbest thing

you've ever heard in your entire

lifetime or from the most cracked

engineer you've ever seen in your

lifetime. Well, it turns out it's the

second one. Okay, it's the very very

cracked because what you're seeing is

the nightmare eclipse account. Six zero

days in six weeks and one big grudge.

This individual is releasing zero days

that are absolutely devastating once a

week for the last 6 weeks. They have

been banned off of GitHub. They just got

done being banned off of GitLab. They

are losing and de being deplatformed

constantly by releasing these huge zero

days. Now, if you're anything like me,

you probably go, okay, well, like

releasing zero days, that's that's bad,

right? I mean, I'm not a huge security

guy, so I can't tell you a lot about

security. Uh, but I can tell you that it

seems bad, right? Releasing out stuff

that could potentially get just your

average mom and pa hacked or have some

of their assets stolen. Yeah, that

sounds that sounds pretty bad. But when

you start learning about this story,

when you start learning about Microsoft,

I think you're going to be a little bit

surprised. And maybe, just maybe, you'll

go, "Oh, this story's a bit different."

Now, before we get to the Nightmare

Eclipse anime waifu, we first need to

say thank you to the sponsors.

I know a lot of you have agents and

you're letting them run around on the

internet on your computer. Stop it.

That's the easiest way to shoot yourself

in the foot. This is why you need

today's video sponsor, Colonel.sh,

the crazy fast and open-source infra for

your AI agents to access the internet.

It takes under 30 milliseconds to spin

up one or 1,000 cloud browsers for your

agents, and authentication is

automatically handled. Right now, over

3,000 teams already use this in

production, including Framer and Cash

App. So, quit nerfing your agents and

give them a real browser. Head on over

to colonel.sh and let them use the

internet.

WELCOME BACK. SO, FIRST, let's just like

learn a little bit about kind of the

backstory or what's going on and then

we're going to see some of the reactions

which is going to make you kind of have

a a kind of a 180 about what's going on.

So, first off, Nightmare Eclipse, Dead

Eclipse, Chaotic Eclipse, or Just

Eclipse, is a malicious actor who has

released six Windows zeroday exploits

since early April 2026 in what multiple

researchers described as an escalating

retaliatory campaign against Microsoft.

Eclipse doesn't fit neatly into the

traditional threat intelligence

categories. They don't appear to be

seeking profits, advancing a social

cause, or pursuing geopolitical

objectives. In other words, just pure

chaos. Like they're literally out there

for the love of the game. They appear to

be a single security researcher driven

by a personal vengeance deliberately

unleashing dangerous exploits that

others are now using in real world

attacks. Defenders and researchers

should respond to nightmare eclipse as

seriously as any other threat actor.

Even though they operate alone and

outside the usual ecosystem. And of

course the list of their exploits. Blue

Hammer, Red Sun, Undefend, Yellow Key,

Green Plasma, Mini Plasma, and several

of them unpatched. If you're interested

more in kind of some of the backstory

and like how they're coming up with the

names, you can check out the link in the

description. But the part that's pretty

interesting is that the actor identity

is unknown, but people believe this is

an insider. They believe it is a former

Microsoft employee. Nightmare Eclipse

also alleges that personnel directly

threatened them from Microsoft Security

Response Center. I was told personally

by them that they will ruin my life and

they did. All right, so that's kind of

like where we stand on what we know

about this situation. And so for me, I

was, you know, you could see that

there's some sort of personal grievance,

some sort of vendetta going on here. But

still, I still kind of feel bad about

Zero Days being released just proof of

concept right into the wild because

people will end up getting hurt.

Granted, that's still true, but now I'm

starting to learn a lot of things about

Microsoft Security Response Center, and

I think you should probably know about

them, too. Last time I dealt with

Microsoft Security Response Center, I

found a command injection vulnerability

present for a decade in context menus.

Not highly critical, but still

exploitable. MSRC did not reward the

bounty, nor did they attribute a CVE to

this finding because it doesn't meet

their criteria as vulnerability that

requires an immediate security update.

However, it was fixed a month later in

Windows 11 Canary. So, taking credit and

pretending like it's not a big deal and

not paying somebody. My last submission

to MSRC was for a Defend Guard bypass. I

learned my lesson from prior drawn out

submissions. So, I included a 90-day

window this time. MSRC responded saying

that I met their bar and they would fix

it, but asked me to withhold disclosure

for another 90 days because they needed

a few extra months to fix it. I agreed

on the condition that they issue a CVE

to which they agreed. After the agreed

upon patch Tuesday a few months later, I

couldn't find any mention in the CVE

list. So, I reached out to MSRC to

inquire. It turns out they changed their

minds, deciding it did not meet their

bar for servicing, yet patched it

anyways. Since it didn't meet their bar,

they didn't issue a CVE. MSRC strung me

along a few extra months to keep me

quiet and then broke their word. Huh.

So, again, they effectively strung

somebody along and didn't give them

credit, effectively refusing to pay

them. Kind of seems like a A little bit

of a reoccurring theme, don't you think?

Last time I dealt with MSRC, responsibly

disclosed an issue with a legacy OT that

allowed me to spray passwords at

redacted endpoint and avoid smart

lockout. Received an email 5 months

after initial case opening. Doesn't meet

the bar for servicing. Microsoft

silently fixed and closed the case. Huh.

You know, it's almost like you're

starting to see a pattern here. And if

you check out VX underground, apparently

there's a maybe a little bit more that

we don't understand. It turns out that

Microsoft Security Response Center is

actually somehow this center that is

just really disservicing the security

researchers out there. They are

completely ignoring them and or they're

just taking their work, silently fixing

it, not responding, doing all sorts of

stuff that just massively decentizes the

entire security research world. And this

has been going on for years. It's been

going on for so long that look at this

right here. LA, this is in August 2023.

Okay, this is 3 years ago. Last week,

Senator Ron Widen sent a letter to the

Cyber Security and Infrastructure

Security Agency, the Department of

Justice, and Federal Trade Commission

asking they hold Microsoft accountable

for repeated pattern of negligent cyber

security practices, which has enabled

the Chinese espionage against the United

States government. According to the data

from Google project zero, Microsoft

products have accounted for an aggregate

42.5%

of all zero days discover since 2014. So

it turns out this has been going on for

years. They are negligent. They have

been the government has been getting

involved now and people are just

absolutely fed up. So whatever has

happened to Nightmare Eclipse, obviously

there's probably a bigger backstory than

we realize. Now we may not get the

entire story, but we do know how

Microsoft is going to respond. a shared

responsibility protecting customers

through coordinated vulnerability

disclosure. In other words, you need to

do these kind of responsible disclosures

or else whatever they say in here is

going to happen. Now, they obviously are

acknowledging this eclipse uh

vulnerabilities that have been

happening. In recent weeks, several zero

day vulnerabilities have been publicly

disclosed. Now, if you go down here, you

can see that they list out a couple of

those right there, including no links to

green plasma or mini plasma. But even

further down right here, look at this

line. Our digital crimes unit will

continue bringing cases against these

actors and those who that enable their

criminal activity, coordinating as

needed with law enforcement around the

world. In other words, if you don't

responsibly disclose, they're going to

bring the longhand of justice against

you. They're actually out there being

like, "Yo, it's actually a crime not to

tell us where we have messed up. We're

probably going to completely

disincentivize people. We're probably

going to take their work. We're probably

not going to give them credit as we have

on multiple occasions. We're probably

not even going to give them money. But

you know what? If you don't do right by

us, then that's actually evil, wrong,

and deserves to be punished, and you

should be thrown in some sort of uh

concrete box with metal bars because

you're the bad person. You know, me just

being like a complete novice. I'm a

complete novice in this area. I don't

know how to hack. I one time found a

vulnerability that was super super duper

massive, but that's because I I stumbled

ass backwards into it completely by

accident. I've never really done any

sort of serious security researching.

And so I don't actually understand the

world that's out there. But from all the

private messages I have received even

about this specific topic, Microsoft has

been hands down dealing people dirty for

over a decade. it appears at least

that's if I are if I'm to believe all

the stories I've been told and some of

them are from quite credible people.

Anyways, I wanted to make this video

because I feel like it's just super

unfair how they're treating people and I

don't think a lot of people even know

that this is happening. It's honestly

it's a pretty responsible disclosure

thing of me to do to let people know

just how bad this organization is. Okay.

Hey, I'm not I'm not Hey, I I'm doing

this for the love of the game. Okay. The

name is the primogen.