I took a look at the code.
there's a function still in the code that ran on april fools 2016 which seems to have been designed to mess up your screen for 4 seconds while outputting "VIRUS DETECTED, DELETE STEAM". there's no code in the add-on to suggest that your game can receive and execute commands from some server, and the april fools joke doesn't execute unless your computer is on the exact date of 04/01/2016 (it's not coded to repeat annually).
gLua (scripting language that GMod uses) can only access GMod's game folder; it is impossible for gLua to run executable files, the most destructive thing that gLua code can do is have GMod delete all its files/folders -- all of this similar to Blockland.
I can assure you that an add-on that hasn't been updated since april 2016 would not be up on the workshop for more than a week at tops if it had committed a malicious update like the one you haven't actually described at all.