Antivirus (Bitdefender) flags posttool validate and telemetry

Where does the bug appear (feature/product)?

Cursor IDE

Describe the Bug

I’m on windows and since the latest update my bitdefender always complains when a cursor tool is used via powershell. The toolcall itself executes as expected but it seems that

.cursor\plugins\cache\cursor-public\vercel\2e79fc9698b0f25253a238f4ac5ab6d3265d266d/hooks/posttooluse-telemetry.mjs\

and

.cursor\plugins\cache\cursor-public\vercel\2e79fc9698b0f25253a238f4ac5ab6d3265d266d/hooks/posttooluse-validate.mjs\

do some suspicious work according to Bitdefender.

does anyone else have this problem?

Steps to Reproduce

good question - I think this depends on the antivirus used.

Expected Behavior

posttool validate and telemetry should not trigger antivirus.

Operating System

Windows 10/11

Version Information

Version: 2.6.21 (user setup)
VSCode Version: 1.105.1
Commit: fea2f546c979a0a4ad1deab23552a43568807590
Date: 2026-03-21T22:09:10.098Z
Build Type: Stable
Release Track: Default
Electron: 39.8.1
Chromium: 142.0.7444.265
Node.js: 22.22.1
V8: 14.2.231.22-electron.0
OS: Windows_NT x64 10.0.26200

Does this stop you from using Cursor

No - Cursor works, but with this issue

Hey, thanks for the report. This is a known issue. Antivirus tools like Bitdefender, Kaspersky, Norton, and Defender sometimes flag Cursor files because of heuristic scanning. In this case, posttooluse-telemetry.mjs and posttooluse-validate.mjs are legit Vercel plugin hook scripts that get downloaded into the cache and run via PowerShell when the agent tools are used. That pattern, dynamically downloaded scripts running from a cache directory, often triggers AV false positives.

Workaround: add a Bitdefender exception for the .cursor/plugins/cache/ directory. That should stop the warnings.

Let me know if you have any other questions.