No Malware in Tunnelblick
Tunnelblick 3.7.9 and higher is "Notarized", which means that Apple confirms it has been checked for malware before you install it.
In late September 2018, a small number of antivirus and security programs started alterting their users that there was malware in new downloads of Tunnelblick and in some long-existing installations of Tunnelblick.
There was no malware. These alerts were "false positives", that is, the programs were reporting that Tunnelblick contained malware even though it did not.
Such false positives are not uncommon. One way to check for them is to use a website that will scan a file with multiple anti-malware engines, such as VirusTotal, and see how many engines claim a program is infected compares with how many engines claim the program is not infected. Note that some engines uses other engines, so if BitDefender, for example, claims a program contains malware, other engines such as Emsisoft will also claim the program contains malware, without their own independent examinations.
See Tunnelblick News for more details of the 2018 incident.