The 'vulnerability' is in the kernel, it replaces some of the tcp send functionality and is at a much lower level than nginx. It looks for outgoing http traffic and injects a bad iframe.

No idea on how it gets there though, no details from any source I've seen.