This made me remember an old implementation detail. When rejecting calls or other SIP messages, we challenge them for authentication (even if they match no endpoint) so that outside parties can’t enumerate valid usernames. This is done by having an internal “artificial” endpoint get created whose sole purpose is to do this. Its name is that of a UUID, and it wouldn’t show up in “pjsip show endpoints” because its existence is confined to the first level of handling of traffic. It’s possible that some interaction is causing this to show up in ARI. Things are explicitly hardcoded so the endpoint can never be used for legit calls, but we still shouldn’t allow it to show up there.
I’d suggest filing an issue on the Asterisk issue tracker[1].