Microsoft Has A Security Problem

Now, I know most of my videos about Microsoft tend to be a little bit more nitpicky uh or making fun of a situation. Like, look at this graph right here. You see how it starts off at pretty much zero and then just in the last year completely exploding. Well, what is this graph? Well, this is the Google trends for GitHub alternatives. Normally, I'd make a video and we'd all GitHub what? Oh, they suck. But this time, this video it's a little different. Okay, I want you to take a look at this picture. I know, anime waifu. Some of you pretty excited. Calm down. This is not an exciting topic. Okay, this picture right here is nothing but distilled fear for Microsoft. For you, probably something different. Distilled something completely different. But for Microsoft, absolutely the most terrifying image they've seen in years. Now, if you're not chronically online and I'm your new source, which a lot of you say that, uh, if that's the case, then this image, you're probably going, "Well, what what's so scary? What's so scary about a little anime waifu?" is we all know what happens when you see an anime waifu, right? Either whatever's coming up next is going to be just singlehandedly the dumbest thing you've ever heard in your entire lifetime or from the most cracked engineer you've ever seen in your lifetime. Well, it turns out it's the second one. Okay, it's the very very cracked because what you're seeing is the nightmare eclipse account. Six zero days in six weeks and one big grudge. This individual is releasing zero days that are absolutely devastating once a week for the last 6 weeks. They have been banned off of GitHub. They just got done being banned off of GitLab. They are losing and de being deplatformed constantly by releasing these huge zero days. Now, if you're anything like me, you probably go, okay, well, like releasing zero days, that's that's bad, right? I mean, I'm not a huge security guy, so I can't tell you a lot about security. Uh, but I can tell you that it seems bad, right? Releasing out stuff that could potentially get just your average mom and pa hacked or have some of their assets stolen. Yeah, that sounds that sounds pretty bad. But when you start learning about this story, when you start learning about Microsoft, I think you're going to be a little bit surprised. And maybe, just maybe, you'll go, "Oh, this story's a bit different." Now, before we get to the Nightmare Eclipse anime waifu, we first need to say thank you to the sponsors. I know a lot of you have agents and you're letting them run around on the internet on your computer. Stop it. That's the easiest way to shoot yourself in the foot. This is why you need today's video sponsor, Colonel.sh, the crazy fast and open-source infra for your AI agents to access the internet. It takes under 30 milliseconds to spin up one or 1,000 cloud browsers for your agents, and authentication is automatically handled. Right now, over 3,000 teams already use this in production, including Framer and Cash App. So, quit nerfing your agents and give them a real browser. Head on over to colonel.sh and let them use the internet. WELCOME BACK. SO, FIRST, let's just like learn a little bit about kind of the backstory or what's going on and then we're going to see some of the reactions which is going to make you kind of have a a kind of a 180 about what's going on. So, first off, Nightmare Eclipse, Dead Eclipse, Chaotic Eclipse, or Just Eclipse, is a malicious actor who has released six Windows zeroday exploits since early April 2026 in what multiple researchers described as an escalating retaliatory campaign against Microsoft. Eclipse doesn't fit neatly into the traditional threat intelligence categories. They don't appear to be seeking profits, advancing a social cause, or pursuing geopolitical objectives. In other words, just pure chaos. Like they're literally out there for the love of the game. They appear to be a single security researcher driven by a personal vengeance deliberately unleashing dangerous exploits that others are now using in real world attacks. Defenders and researchers should respond to nightmare eclipse as seriously as any other threat actor. Even though they operate alone and outside the usual ecosystem. And of course the list of their exploits. Blue Hammer, Red Sun, Undefend, Yellow Key, Green Plasma, Mini Plasma, and several of them unpatched. If you're interested more in kind of some of the backstory and like how they're coming up with the names, you can check out the link in the description. But the part that's pretty interesting is that the actor identity is unknown, but people believe this is an insider. They believe it is a former Microsoft employee. Nightmare Eclipse also alleges that personnel directly threatened them from Microsoft Security Response Center. I was told personally by them that they will ruin my life and they did. All right, so that's kind of like where we stand on what we know about this situation. And so for me, I was, you know, you could see that there's some sort of personal grievance, some sort of vendetta going on here. But still, I still kind of feel bad about Zero Days being released just proof of concept right into the wild because people will end up getting hurt. Granted, that's still true, but now I'm starting to learn a lot of things about Microsoft Security Response Center, and I think you should probably know about them, too. Last time I dealt with Microsoft Security Response Center, I found a command injection vulnerability present for a decade in context menus. Not highly critical, but still exploitable. MSRC did not reward the bounty, nor did they attribute a CVE to this finding because it doesn't meet their criteria as vulnerability that requires an immediate security update. However, it was fixed a month later in Windows 11 Canary. So, taking credit and pretending like it's not a big deal and not paying somebody. My last submission to MSRC was for a Defend Guard bypass. I learned my lesson from prior drawn out submissions. So, I included a 90-day window this time. MSRC responded saying that I met their bar and they would fix it, but asked me to withhold disclosure for another 90 days because they needed a few extra months to fix it. I agreed on the condition that they issue a CVE to which they agreed. After the agreed upon patch Tuesday a few months later, I couldn't find any mention in the CVE list. So, I reached out to MSRC to inquire. It turns out they changed their minds, deciding it did not meet their bar for servicing, yet patched it anyways. Since it didn't meet their bar, they didn't issue a CVE. MSRC strung me along a few extra months to keep me quiet and then broke their word. Huh. So, again, they effectively strung somebody along and didn't give them credit, effectively refusing to pay them. Kind of seems like a A little bit of a reoccurring theme, don't you think? Last time I dealt with MSRC, responsibly disclosed an issue with a legacy OT that allowed me to spray passwords at redacted endpoint and avoid smart lockout. Received an email 5 months after initial case opening. Doesn't meet the bar for servicing. Microsoft silently fixed and closed the case. Huh. You know, it's almost like you're starting to see a pattern here. And if you check out VX underground, apparently there's a maybe a little bit more that we don't understand. It turns out that Microsoft Security Response Center is actually somehow this center that is just really disservicing the security researchers out there. They are completely ignoring them and or they're just taking their work, silently fixing it, not responding, doing all sorts of stuff that just massively decentizes the entire security research world. And this has been going on for years. It's been going on for so long that look at this right here. LA, this is in August 2023. Okay, this is 3 years ago. Last week, Senator Ron Widen sent a letter to the Cyber Security and Infrastructure Security Agency, the Department of Justice, and Federal Trade Commission asking they hold Microsoft accountable for repeated pattern of negligent cyber security practices, which has enabled the Chinese espionage against the United States government. According to the data from Google project zero, Microsoft products have accounted for an aggregate 42.5% of all zero days discover since 2014. So it turns out this has been going on for years. They are negligent. They have been the government has been getting involved now and people are just absolutely fed up. So whatever has happened to Nightmare Eclipse, obviously there's probably a bigger backstory than we realize. Now we may not get the entire story, but we do know how Microsoft is going to respond. a shared responsibility protecting customers through coordinated vulnerability disclosure. In other words, you need to do these kind of responsible disclosures or else whatever they say in here is going to happen. Now, they obviously are acknowledging this eclipse uh vulnerabilities that have been happening. In recent weeks, several zero day vulnerabilities have been publicly disclosed. Now, if you go down here, you can see that they list out a couple of those right there, including no links to green plasma or mini plasma. But even further down right here, look at this line. Our digital crimes unit will continue bringing cases against these actors and those who that enable their criminal activity, coordinating as needed with law enforcement around the world. In other words, if you don't responsibly disclose, they're going to bring the longhand of justice against you. They're actually out there being like, "Yo, it's actually a crime not to tell us where we have messed up. We're probably going to completely disincentivize people. We're probably going to take their work. We're probably not going to give them credit as we have on multiple occasions. We're probably not even going to give them money. But you know what? If you don't do right by us, then that's actually evil, wrong, and deserves to be punished, and you should be thrown in some sort of uh concrete box with metal bars because you're the bad person. You know, me just being like a complete novice. I'm a complete novice in this area. I don't know how to hack. I one time found a vulnerability that was super super duper massive, but that's because I I stumbled ass backwards into it completely by accident. I've never really done any sort of serious security researching. And so I don't actually understand the world that's out there. But from all the private messages I have received even about this specific topic, Microsoft has been hands down dealing people dirty for over a decade. it appears at least that's if I are if I'm to believe all the stories I've been told and some of them are from quite credible people. Anyways, I wanted to make this video because I feel like it's just super unfair how they're treating people and I don't think a lot of people even know that this is happening. It's honestly it's a pretty responsible disclosure thing of me to do to let people know just how bad this organization is. Okay. Hey, I'm not I'm not Hey, I I'm doing this for the love of the game. Okay. The name is the primogen.