Malware attack?

Hi,
Bear with me, as this relates to Nextcloud. I’m on Nextcloud 17, behind nginx reverse proxy.
I was setting up Oauth2_proxy on Unraid using a docker, with Nextcloud as the Oauth2 authority.

I decided to use the airsonic for testing. I managed to reach the “sign into Nextcloud” page but couldn’t get any further. When I went to look at the airsonic log on the reverse proxy, I found this immediately after the failed oauth2 attempt:

193.57.40.46 - - [22/Jan/2020:19:04:00 +1100] “GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1” 200

The ip address is Ukranian. I wasn’t connected to a vpn at the time, and this appears to be a malware exploit.

When I copied and pasted this into my browser it took me straight into Nextcloud. I was already authenticated on the browser so that is not a concern. However, when not authenticated it takes me to the external https:// of the nextcloud subdomain. Fortunately, I have 2FA set up.

Whilst not directly linked to Nextcloud, is this something that somebody could elaborate on? I’m concerned about the irony of using Oauth2_proxy by “pusher”. I’m not being suggestive that the coder(s) have done anything wrong, however its incredibly ironic.