Comment by mdeeks
I was part of the original team that built Nucleus. It was very specifically an internal API that was never ever supposed to be publicly exposed. We were always very careful with it and did various things like requiring mutual TLS for clients. This was 15-ish years ago though. It's also hard to control what clients end up doing with your API. This reads like they proxied part of it to the public :(
We worked together for a while, if you are the same M. Deeks I worked with. I think you even interviewed me for the internship job originally.
I agree that this looks like an accidental proxy of the API. Everything was so locked down back then, never thought I'd see the API exposed like this.