Microsoft Threatens Nightmare Eclipse With Criminal Action Over Windows Vulnerability Disclosures

Microsoft is facing a cybersecurity uproar after it threatened legal action and said it would coordinate “as needed with law enforcement” following a dispute with a researcher known as “Nightmare Eclipse.”

“A new security flaw has been discovered in how Copilot, Microsoft's AI assistant integrated into Windows and the editor's tools, operates”

01net

PCMag said the controversy centers on Nightmare Eclipse publishing Windows vulnerabilities outside the Microsoft Security Response Center (MSRC) route that researchers normally use for patching, and it quoted the researcher saying, “They mopped the floor with me and pulled every childish game they could.”

01net

TechCrunch reported that Microsoft’s blog criticized Nightmare Eclipse for publicly disclosing bugs including BlueHammer, RedSun, UnDefend, and YellowKey, which affected products such as the Windows built-in antivirus engine Defender and the disk-encryption tool BitLocker.

TechCrunch also said Microsoft’s Digital Crimes Unit wrote, “Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity — coordinating as needed with law enforcement around the world,” as the spat reignited debate over disclosure responsibility.

Separately, Varonis researchers described a Copilot vulnerability named Reprompt that they said could enable extensive data theft on a victim’s computer with “a single click from the target.”

01net said Reprompt works by repeatedly reissuing the same query in a loop, and it described an attacker using a legitimate URL that redirects to Copilot while embedding a malicious parameter that triggers a pre-determined request when the page loads.

Korben

Le Monde Informatique reported that Reprompt has been discovered only in Copilot Personal, not in Microsoft 365 Copilot, and it said the vendor released a patch after being informed of the vulnerability.

01net added that Microsoft included a patch in the latest Windows Patch Tuesday, deployed on January 13, 2026, and it urged users to install the update without delay.

The Copilot Reprompt reports emphasize that the attack chain can bypass Copilot’s safeguards by applying them only to the first prompt, with Le Monde Informatique saying “Copilot checks for the presence of malicious content in the Q variable only for the first prompt.”

“A latest malicious scenario has been identified by Varonis security experts”

Le Monde Informatique

Le Monde Informatique also warned that the danger includes that the attacker can stay in Copilot “as long as desired, even after the user closes the chat window,” while data is exfiltrated via server-side follow-up prompts.

In the Nightmare Eclipse dispute, TechCrunch quoted Katie Moussouris warning that Microsoft’s approach would result in a chilling effect, saying “will only result in security researchers distrusting Microsoft.”

TechCrunch further quoted Kevin Beaumont criticizing Microsoft’s stance by asking, “Proof of concept exploit creation and distribution for zero days is ‘criminal activity’ now?” as the two controversies converge on how security research and disclosure are handled.