In a statement published by Reuters, Apple said that it had found and removed several apps that included a malicious program called Xcode Ghost – a fake version of Apple’s software development program Xcod e – that hides malware in otherwise legitimate apps. “We are working with the developers to make sure they’re using the proper version of Xcode to rebuild their apps,” the statement said.

Xcode Ghost was uploaded to a Baidu server in China, where developers picked up the counterfeit software. It has since been taken down. Most of the apps affected, such as the ride-hailing service Didi Kuaidi, are most popular in China. But some of the apps have international audiences, such as Tencent’s popular messaging app WeChat. Bad versions of these apps appear to have been available outside of China, as well, according to security firm Palo Alto Networks.

Apple did not immediately respond to a request for comment. On WeChat’s official blog, the firm said that the issue only affected an older version of its chat program and that it has not found any evidence of a customer’s personal information being taken from the app as a result of the bad code.

While the damage from the attack appears to be limited for now, it’s a public black eye for Apple. One of the selling points of Apple’s App Store and, by extension, its products, is that the company takes security seriously. The firm famously subjects developers to stringent screening processes that can often hold up an app’s launch but allows Apple to promise customers the peace of mind that any app they download from its store is safe.

It’s unprecedented for the company to have allowed so many apps with malicious code to get through its security processes. And because the attack happened at the development stage, average consumers have no meaningful way to parse the good apps from the bad.

Palo Alto Networks published several posts analyzing the flaw on its blog post late last week, finding that 39 apps were affected in total, potentially affecting “hundreds of millions” of users, the company said.

Palo Alto Networks security researcher Claud Xiao wrote in a blog post that the software can trigger fake alerts on the iPhone, and has already been used to try to convince Apple users to reveal their iCloud passwords. He also warned that the software could be used to snoop on a device’s clipboard, which could potentially let the program read passwords copied from a password manager.