In general, executing code locally means that the code can do whatever you can (which is why you want to log in as a limited user as much as possible), plus it might employ some elevation of privilege exploit to also do whatever a privileged account can do, which means anything at all.
If you are paranoid and want safety and certainty, your machine is now lost. Disconnect it and nuke it and rebuild from a known clean backup. But even befor that, all your accounts are also lost. From a known clean machine, change all your passwords from all your accounts - don't check email or anything, just log in, change password and log out immediately. All machines reachable from your own must be considered suspect and audited. Those where you had administrative privileges, if you're in paranoid mode, should also be considered lost and treated the same way, recursively.
Realistically, though... you say, "I typed in my metamask/wallet password (no money on it) to a fake metamask popup". This tells me that you were offered a job working on some kind of crypto thingy.
This, in turn, tells me that in all evidence someone is trolling for crypto-laden and not too paranoid developers, trying to steal their hard-won cryptocurrencies, and you were either a test or one of many victims. Assuming you weren't explicitly targeted and it's an anonymous, mass-sting operation, then accessing your wallet was exactly the only purpose of the scam.
So, you compromised that information but nothing else. How much damage this may imply, that's for you to decide. If you did not reuse that password anywhere else, the attackers got nothing. Abandon that wallet and move on. Possibly some kind of remote-control malware may have been left behind (I know that I would have tried to install one), but sanitizing the machine ought to be possible without recourse to extreme measures.
