Microsoft said Wednesday that six Windows zero-day vulnerability bugs tied to a researcher known as Nightmare Eclipse, also called Chaotic Eclipse, were not reported through its official channels before they were made public. The company said three of the flaws — BlueHammer, RedSun and UnDefend — were hit soon after working proof-of-concept exploit code was published.

The software maker named the other three bugs as YellowKey, GreenPlasma and MiniPlasma, and said YellowKey, also known as CVE-2026-45585, is more likely to be exploited because a working proof of concept already exists. Microsoft said its Digital Crimes Unit will keep bringing cases against actors and those who enable criminal activity, as the dispute over the disclosures spilled into open threats and accusations.

The fight centers on a researcher who has already released six Windows zero-days and says Microsoft deleted the account used to report bugs. In a statement, Microsoft said it remains firmly opposed to disclosures outside proper coordination that could harm customers and the digital ecosystem, and warned that uncoordinated publication of proof-of-concept code for unpatched vulnerabilities has real-world consequences.

On Saturday, Nightmare Eclipse said Microsoft refused to communicate, humiliated them and insulted them in front of people. The researcher also wrote, “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.” In the same post, they added, “Mark this date July 14th, I will make sure your bones are shattered that day.”

The dispute has drawn attention because the flaws were not abstract. Working proof-of-concept code was followed by attacks on three of the six bugs, and Microsoft itself said exploitation is more likely for YellowKey. That makes the sequence unusually fast: publication, attack and warning all landed in close succession, leaving administrators to deal with a broader Windows risk while the argument over disclosure turned personal.

For security teams, the immediate task is simple: treat the three under active exploitation as urgent, and watch the other three closely. For Microsoft, the larger test is whether its posture on public disclosure and enforcement can deter the next round of releases without convincing more researchers that reporting through official channels gets them nowhere. Muhammad Qasim Shahzad, a systems engineer, said the fallout was so broad that “one person caused more enterprise-level damage in six weeks than most APT groups cause in a year.”