Your site is compromised with the fake Cloudflare bot verification malware.
As the site doesn’t use Cloudflare at all, the source of the compromise cannot be your Cloudflare account: the attacker is merely leveraging Cloudflare’s branding to social-engineer unsuspecting people visitors to your site.
It seems the domain’s nameservers ns[1-4].digitalpacific.com.au are vanity/branded Cloudflare nameservers, so the root of this could be your Cloudflare account after all.
