That's odd IIRC The Windows binary was prepared in a Linux environment using official Godot 4.4.1 export templates, so if there's really malware in there then it must either come from the Godot team or Itch itself
EDIT:I've just checked the Windows binary with ClamAV and it reported no malware found.