I purchased a set of 2 M9+ brand new from amazon last december and have set up the mesh wifi properly. It's sitting behind my ISP modem/router. Things were working well until yesterday. I got a notification that a new device had joined the mesh network, but that was anyone in my household. I checked the MAC and sure enough it's not a MAC on my list (yes, I have a list of MAC for all my devices). My password setting is WPA2 personal, AES, and 30 characters long includes both upper/lower case letters, numbers and special character. About the only thing I can think of that reveals I own a Deco router is I had "Deco" in my SSID.

Anybody has heard/seen something similar?

As a precaution I have blocked that MAC, change SSID and password (it's now 40+ characters long). I have also tried hiding SSID but now reverted because some devices don't work with hidden ssid. This is the first time I see something like this. I am thinking to return the set.