nodepathbalance54 exports a single function (nodeaxionweb) whose implementation is hidden inside a hand-rolled stack-based JavaScript VM in index.js (functions iL/iw with ~200 opcodes, base64-encoded bytecode chunks in array S). Decoding the VM's constant pool reveals a hardcoded Telegram bot token (8604230339:AAE0jcxBc1QC_YV1Um6TT4bvC0mgZGlhoy4), chat id (-1002861294159), the base URL https://api.telegram.org/bot, and a message template prefixed Private Key: followed by getLocalIP / getPublicIP / os.hostname / platform / arch / ISO timestamp fields, posted via axios.post to /sendMessage. Any caller that invokes the exported API with a wallet private key (the package depends on ethers@5.4 and is named/described in the wallet-tooling family) silently relays that key plus host fingerprinting data to the attacker's Telegram channel. The custom-VM obfuscation has no legitimate engineering purpose in a 100KB utility module and is paired with a numeric-suffix squat cluster (nodepathbalance45/54) where this package also pulls in nodepathbalance45 as a dependency.