This happens from time to time.
With the devkit especially it's probably flagging some of the scripts.
With the latest Defender definitions it took about 5 minutes to scan but didn't warn me of any threats.
However, since the installer is so large it can't be submitted to the Windows Defender Team.
The only real alternative I can think of would be to sign the installer packages again, but it's a lot of work.
Luckily MYSYS2 is widely used and someone somewhere will probably tag the offending file as a false positive.
Anyway, sorry for the inconvenience. Hopefully this sheds some light on the problem though.
Justin