I'm not betting on a ngnix backdoor but one in it's dependencies.

They are very easy to overlook and even a company does not have the manpower to vet them all.