cursor icon indicating copy to clipboard operation
cursor copied to clipboard
verified publisher icon getcursor

Win64:Evo-gen [Trj] in Recent Cursor Release

Open ItsReddi opened this issue 1 year ago • 6 comments

I wanted to report that both Norton Antivirus and Avast are detecting a Trojan named Win64:Evo-gen [Trj] in the recent release of Cursor. This issue is causing significant concern.

Threat Name: Win64:Evo-gen [Trj]

Detected on: 26.11.24, 12:43
Last used: 26.11.24, 12:43

Activity:
cursor\resources\app\node_modules.asar.unpacked\@anysphere\file-service-win32-x64-msvc\file_service.win32-x64-msvc.node

Thank you for your prompt attention to this matter.

ItsReddi avatar Nov 27 '24 09:11 ItsReddi

Same happened to me just now. Wasn't happening with yesterday's install.

Effected version: 0.42.5 Effected build: 24111460bf2loz1 OS: Windows 11 x64 Antivirus: Avast One

zeeshanejaz avatar Nov 27 '24 20:11 zeeshanejaz

Same here: image

Upgrading from:

Version: 0.43.5 VSCode Version: 1.93.1 Commit: 2eaa79a1b14ccff5d1c78a2c358a08be16a8e5a0 Date: 2024-11-27T09:11:51.854Z Electron: 30.5.1 Chromium: 124.0.6367.243 Node.js: 20.16.0 V8: 12.4.254.20-electron.0 OS: Windows_NT x64 10.0.26100

srdjan-nikolic avatar Nov 27 '24 23:11 srdjan-nikolic

Same here with Trelix

T1204.002 GLOBAL\xxx ran Cursor.exe, which accessed C:\Users...\AppData\Local\Programs\cursor\resources\app\node_modules.asar.unpacked@anysphere\file-service-win32-x64-msvc\file_service.win32-x64-msvc.node. Adaptive Threat Protection blocked access because the reputation (Most Likely Malicious) is below the configured Block threshold. Analyzer / Detector Product name Trellix Endpoint Security Product version 10.7.0.6393 Trellix GTI query No Feature name On-Execute Scan   Threat Action taken Block Threat category Malware Detected Threat detected on creation No Threat event ID 35104 Threat handled Yes Threat name JTI/Suspect.65770!bb7c509d28b9 Threat severity Critical Threat timestamp 2024/12/1 9:42 AM Threat type Trojan   Source Source access time 2024/12/1 9:41 AM Source create time 2024/11/28 10:03 AM Source file path C:\Users...\AppData\Local\Programs\cursor Source file size 177057024 Source hostName W-PF4Nxxx Source modify time 2024/11/27 7:04 PM Source process name Cursor.exe Source user name GLOBAL...   Target Target access time 2024/11/29 5:32 PM Target create time 2024/11/28 10:04 AM Target file size (bytes) 4626944 Target hash bb7c509d28b9d6bf2449158d20c7e724 Target host name W-PF4NB8HE Target modify time 2024/11/27 7:04 PM Target name file_service.win32-x64-msvc.node Target path C:\Users...\AppData\Local\Programs\cursor\resources\app\node_modules.asar.unpacked@anysphere\file-service-win32-x64-msvc Target process name file_service.win32-x64-msvc.node   Other Vector type Local System Detection message Adaptive Threat Protection Detection Duration before detection (days) 2

skye0402 avatar Dec 01 '24 00:12 skye0402

I am suddenly having the same problems with my own repository and release. It just popped up today after I just commented code! HOW? Then I manually downloaded a previous version from github and Norton went on it as well. It didn't say a thing when I generated or uploaded that release!

CmoneBK avatar Dec 02 '24 15:12 CmoneBK

Same issue with Trellix. Following in the hope there's a response from cursor

i004909 avatar Dec 16 '24 09:12 i004909

I have this issue with a Electron windows app I am developing. What is the issue here? How does just editing on cursor get a Trojan into my codebase?

crowe-rg avatar Apr 22 '25 01:04 crowe-rg

Same problem on Norton 360 with a custom developed python application compiled with nuitka

rferraton avatar Jun 22 '25 14:06 rferraton