Mystery Microsoft bug leaker keeps the zero-days coming
Security pros warn YellowKey claim could make stolen laptops a much bigger problem
Connor Jones Connor Jones Cybersecurity reporter Published wed 13 May 2026 // 17:16 UTCThe anonymous security researcher who has already maliciously exposed three Windows zero-days this year has revealed two more, dropping them just after Microsoft's monthly Patch Tuesday update.
Nightmare-Eclipse, or Chaotic Eclipse, depending on which of their aliases you prefer, released details about YellowKey and GreenPlasma - respectively a BitLocker bypass and a privilege escalation flaw, handing SYSTEM access to attackers.
Experts speaking to The Register warned that both vulnerabilities present serious security concerns, especially since Nightmare-Eclipse released substantial technical information about exploiting them.
Nightmare-Eclipse described YellowKey as "one of the most insane discoveries I ever found." They provided the files, which have to be loaded onto a USB drive, and if the attacker completes the key sequence correctly, they are granted unrestricted shell access to a BitLocker-protected machine.
When it comes to claims like these, we usually exercise some caution, as this bug requires physical access to a Windows PC. However, seeing that BitLocker acts as Windows' last line of defense for stolen devices, bypassing the technology grants thieves the ability to access encrypted files.
Rik Ferguson, VP of security intelligence at Forescout, said: "If [the researcher's claim] holds up, a stolen laptop stops being a hardware problem and becomes a breach notification."
Despite the physical access requirement, Gavin Knapp, cyber threat intelligence principal lead at Bridewell, told The Register that YellowKey remains "a huge security problem for organizations using BitLocker."
Citing information shared in cyber threat intelligence circles, he added that YellowKey can be mitigated by implementing a BitLocker PIN and a BIOS password lock.
Nightmare-Eclipse hinted at YellowKey also acting as a backdoor, allegedly injected by Microsoft, although the people we spoke to said this was impossible to verify based on the information available.
The researcher also published partial exploit code for GreenPlasma, rather than a fully formed proof of concept exploit (PoC).
Ferguson noted attackers need to take the code provided by the researcher and figure out how to weaponize it themselves, which is no small task: in its current state it triggers a UAC consent prompt in default Windows configurations, meaning a silent exploit remains a work in progress.
Knapp warned that these kinds of privilege escalation flaws are often used by attackers after they gain an initial foothold in a victim's system.
"These elevation of privilege vulnerabilities are often weaponized during post-exploitation to enable threat actors to discover and harvest credentials and data, before moving laterally to other systems, prior to end goals such as data theft and/or ransomware deployment," he said.
"Currently, there is no known mitigation for GreenPlasma. It will be important to patch when Microsoft addresses the issue."
Four, five… and more?
YellowKey and GreenPlasma are the latest in a series of five Microsoft zero-day bugs the researcher has exposed this year.
When Nightmare-Eclipse released BlueHammer (CVE-2026-32201, 6.5) - patched by Microsoft in April - they were described as a disgruntled researcher who has since been rumored to be a former Microsoft employee.
According to their maiden blog post under the Chaotic Eclipse alias, the bug leak began after an alleged violation of trust.
"I never wanted to reopen a blog and a new GitHub account to drop code," they wrote. "But someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."
In early April, the researcher leaked proof-of-concept code for Windows Defender exploits they called RedSun and UnDefend - another admin privilege escalation bug and denial-of-service flaw, respectively - as well as BlueHammer.
Both RedSun and UnDefend remain unfixed, and according to Huntress, the proof-of-concept code released was quickly picked up and abused in real-world attacks.
Ferguson described the exposure of YellowKey and GreenPlasma as the latest in an escalating, retaliatory campaign against Microsoft, and warned of more coming.
"Prior releases include BlueHammer and RedSun, both of which attracted serious community attention and real forks," he said.
"The same post linking yesterday's releases warns of another Patch Tuesday surprise and hints at future RCE disclosures. They claim to have a dead man's switch with more ready to go. This researcher has followed through on every prior threat." ®
security bitlocker windows zero-day vulnerabilities microsoftCisco to fire 4,000 staff and generously give them free training – on Cisco
Reducing memory requirements to control costs in a new wave of kit
patchesWelcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Palo Alto Networks found and fixed 75 flaws this month, up from its usual five
ZTE advances intelligent network monetization strategy at AGC2026, empowering ISPs for sustainable growth
Leveraging 10G PON, light OTN, and Wi-Fi 7 to modernize infrastructure and reduce operational costs for local operators
PaaS + IaaSAWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?
If a setting fails in the forest and nobody hears it ...
AI will soon be capable of telling convincing lies
That's fine when playing poker, but less useful when we trust LLMs with serious work like finding software flaws
softwareGoogle's AI-enabled mouse pointer understands 'this' and 'that'
Right-clicking could go the way of the 3.5-inch floppy at the Chocolate Factory
IBM Cloud evaporates as datacenter loses power
Chrome silently installs a 4 GB local LLM on your computer
Taiwan cops say student's radio kit brought bullet trains to a standstill
Anthropic’s bug-hunting Mythos was greatest marketing stunt ever, says cURL creator
HP stuffed a PC into a keyboard. We took it for a spin
The Hardware Crunch: How Supply Chain Turbulence Is Forcing a New IT Playbook
Infrastructure teams are facing a perfect storm: extended hardware lead times, rising costs driven by AI demand, and accelerated platform timelines.
Identity Resilience: The New Mandate for Cyber Survival
Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.
Identity Resilience: The New Mandate for Cyber Survival
Join Druva experts for a compelling deep dive into what it takes to build an identity-first recovery strategy in this new threat landscape.
Unfriendly Followers: The Black Market For Your Identity
They’ll reveal how attackers use your profile as intel and show you how to make yourself harder to target
How Agents are Reshaping AI Security
AI adoption is accelerating and with it comes a new security challenge.
How Agents are Reshaping AI Security
AI adoption is accelerating and with it comes a new security challenge.
AI Found the Problem. Now What?
AI is transforming the software development lifecycle, helping teams identify and remediate vulnerabilities before they reach production.
AI
-
patches
Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Palo Alto Networks found and fixed 75 flaws this month, up from its usual five
-
PaaS + IaaS
AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?
If a setting fails in the forest and nobody hears it ...
-
software
Google's AI-enabled mouse pointer understands 'this' and 'that'
Right-clicking could go the way of the 3.5-inch floppy at the Chocolate Factory
-
On-Prem
Datacenters are having fewer, but bigger failures
And neither AI nor international conflict are helping
-
AI + ML
Anthropic butts in to small business, promises help with payroll and other core tasks
But Pro or Max biz users should know that the company may train its AI on your data
Infosec
-
patches
Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Palo Alto Networks found and fixed 75 flaws this month, up from its usual five
-
PaaS + IaaS
AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?
If a setting fails in the forest and nobody hears it ...
-
software
Google's AI-enabled mouse pointer understands 'this' and 'that'
Right-clicking could go the way of the 3.5-inch floppy at the Chocolate Factory
-
On-Prem
Datacenters are having fewer, but bigger failures
And neither AI nor international conflict are helping
-
AI + ML
Anthropic butts in to small business, promises help with payroll and other core tasks
But Pro or Max biz users should know that the company may train its AI on your data
FOSS
-
Welcome to the vulnpocalypse, as vendors use AI to find bugs and patches multiply like rabbits
Palo Alto Networks found and fixed 75 flaws this month, up from its usual five
-
AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?
If a setting fails in the forest and nobody hears it ...
-
Google's AI-enabled mouse pointer understands 'this' and 'that'
Right-clicking could go the way of the 3.5-inch floppy at the Chocolate Factory
-
Datacenters are having fewer, but bigger failures
And neither AI nor international conflict are helping
-
Anthropic butts in to small business, promises help with payroll and other core tasks
But Pro or Max biz users should know that the company may train its AI on your data
-
Bug hunter tracks down three massive MCP flaws and one vendor won't fix theirs
Apache, Alibaba databases vulnerable and only one has a patch