Is it unauthorised if a user chooses to add the package themselves? This is not being put into anyone's machine clandestinely. It is the software user's responsibility to ensure the software is doing what you expect.
IANAL, but I suspect that it is considered unauthorized as there are many avenues in which a dependency will get updated without a user specifying this exact package and version. I think the key here is that there is clear malicious intent.
Cybercrime offences are found in Commonwealth legislation within parts 10.7 and 10.8 of the Criminal Code Act 1995 and include:
-Computer intrusions
-Unauthorised modification of data, including destruction of data
-Unauthorised impairment of electronic communications, including denial of service attacks
-The creation and distribution of malicious software (for example, malware, viruses, ransomware)
-Dishonestly obtaining or dealing in personal financial information.