Disable nginx , then deal with it without fuss, study new files, logs, databases, etc.
You do not want to say that php can (has rights) to change system files, run any processes, etc.?

The hacker uploaded and wants to merge the project into the public.

This is a very strange statement, because this usually happens very quickly. While you are thinking what to do, the project will already be merged. Well, of course, if it's not a mega heavy base through a narrow connection. So the hacker will first merge the project, and then he will want to put it in public, lazily corresponding with you or with anyone else.
In the general case, advice is to immediately chop off everything that is possible, and then think. Ideally, there should be physical access to cut off the Internet. Although, in theory, a malicious script could be so smart that its autonomous actions would be more dangerous than when controlled by a hacker remotely, such a script is difficult and expensive to make, so it is rare.

Some strange question, more like paranoia.
This is not an indicator of the popularity of the resource among hackers, but a routine. Stupid kids from all over the world run fan scans, this stuff is full in the logs of any site.
This is the weirdest part. The walk is already flooded, and the hacker is sitting and waiting for you to ask a question on the toaster?

Probably the issue here is not Nginx, apache or something else. And the fact that the person on the backend did not have a check for the file type extension, this led to the fact that the user was able to upload the file and download everything that gave him (by access rights).
They protect themselves from this at least by checking extensions, and renaming files can be done as a bonus (which, by the way, is also important). Then in this case the user will be able to load only allowed formats. If you need a solution, then the github is full of links to such libraries, which already have extension filtering (if you don’t want to write the code yourself)