In this case, it was actually a valid image that was already in your system. We do full image checks when importing so it wouldn't be imported without appearing to be a valid image.
However, we do have an extra check on any uploaded image for the "<?php" string, though this is mostly to attempt to (partially) workaround a security issue that comes from a server misconfiguration. This issue is moot on most servers; it's a specific Nginx configuration (generally well documented). We just provide an extra layer of protection against it, at the expense of a theoretical false positive.