Looks like a couple of my websites fell foul of the hacking of the fast secure contact form. Really annoying that I had to undo this.
References on both painscience.com.au and also veltman.org to the script that had inserted this into the headers of all my themes:
<script src='https://json.stringengines.com/pson.js?n=1' type='text/javascript'></script>
I think that what appears to have happened here is that the fast secure contact form was bought by a malicious programmer who then put an update that inserted this malware. Its since been pulled by the wordpress site from the list of plugins.
The original author did do one final update on his website that I’ve downloaded, so I’ll probably need to install that on my servers as it was a useful plugin.
Live and learn.