This is a non issue. It's like saying hackers used a programming language to write malicious code.
Of course they did. How else would they do it?
They're just using the Godot engine (C#) to do it instead of the python interpreter.
Edit: The people downvoting appear to not understand how this works.
They wrote a module and made it available through the Gadot GodLoader "marketplace" for people to download. You could do the same thing with Unity3D, or UnrealEngine, or the Android store, or the Apple Store. The difference is those have safeguards from paid people and systems to verify the authenticity and maliciousness of the tools/code that are submitted. Gadot/Godloader lacks these controls in their system.
The only thing it's really doing it running arbitrary code. Arbitrary code the user would have to in some way allow it to run by installing an unknown/unverified script.
Similar to something like the Greasemonkey extension for FF/Chrome.
When you use modules and tools like this you are taking a risk that you are able to self-monitor, otherwise only run scripts/download modules from trusted sources.
There's nothing specific about Gadot's system here, this is like clickbait.