diff --git a/base/comps/components.toml b/base/comps/components.toml
index 28735f368a3..dd58a004cc1 100644
--- a/base/comps/components.toml
+++ b/base/comps/components.toml
@@ -2161,7 +2161,6 @@ includes = ["**/*.comp.toml", "component-check-disablement.toml", "component-min
 [components.mosh]
 [components.motif]
 [components.mozilla-filesystem]
-[components.mozjs128]
 [components.mozjs140]
 [components.mpdecimal]
 [components.mpfr]
diff --git a/base/comps/mozjs128/modify_source.sh b/base/comps/mozjs128/modify_source.sh
new file mode 100755
index 00000000000..97464b5e14f
--- /dev/null
+++ b/base/comps/mozjs128/modify_source.sh
@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+#
+# mozjs128: download upstream Firefox ESR source, remove a single
+# scanner-tripping test fixture, and repack deterministically as a
+# .tar.xz. The single removed file is:
+#
+#   firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip
+#
+# (AES-encrypted ZIP test vector for the cargo-vendored `zip` crate;
+# never read at AZL build time -- mozjs128 only consumes `js/src/`.)
+#
+# Rationale lives in mozjs128.comp.toml (replace-reason). All output
+# lands under <repo-root>/base/build/work/scratch/mozjs128/.
+
+set -euo pipefail
+
+VERSION="128.11.0"
+ORIGINAL_NAME="firefox-${VERSION}esr.source.tar.xz"
+EXTRACTED_DIRNAME="firefox-${VERSION}"
+MODIFIED_NAME="firefox-${VERSION}esr-azl-aes-fixture-removed.tar.xz"
+UPSTREAM_URL="https://ftp.mozilla.org/pub/firefox/releases/${VERSION}esr/source/${ORIGINAL_NAME}"
+
+# From https://ftp.mozilla.org/pub/firefox/releases/128.11.0esr/SHA512SUMS
+ORIGINAL_SHA512="80af64c1dce6d7a25111480567a3251cc2d1edce00acc4d85bbaa44590f5bbf4c0716f9490c3ab8ef1e6fc2bbabb2379029c2dee51ce477933c7a5935092d279"
+
+# Single path (relative to the extracted top-level dir) to remove.
+REMOVE_PATH="third_party/rust/zip/tests/data/aes_archive.zip"
+
+SCRIPT_DIR="$(cd "$(dirname "$(realpath "$0")")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+WORKDIR="${REPO_ROOT}/base/build/work/scratch/mozjs128"
+mkdir -p "${WORKDIR}"
+cd "${WORKDIR}"
+
+echo "[1/5] Downloading ${ORIGINAL_NAME}"
+[[ -f "${ORIGINAL_NAME}" ]] || curl -fsSL --retry 3 -o "${ORIGINAL_NAME}" "${UPSTREAM_URL}"
+
+echo "[2/5] Verifying upstream SHA512"
+computed=$(sha512sum "${ORIGINAL_NAME}" | awk '{print $1}')
+if [[ "${computed}" != "${ORIGINAL_SHA512}" ]]; then
+    echo "ERROR: upstream SHA512 mismatch" >&2
+    echo "  expected: ${ORIGINAL_SHA512}" >&2
+    echo "  computed: ${computed}" >&2
+    exit 1
+fi
+
+echo "[3/5] Extracting"
+rm -rf "${EXTRACTED_DIRNAME}"
+tar -xf "${ORIGINAL_NAME}"
+
+echo "[4/5] Removing ${EXTRACTED_DIRNAME}/${REMOVE_PATH}"
+if [[ ! -f "${EXTRACTED_DIRNAME}/${REMOVE_PATH}" ]]; then
+    echo "ERROR: expected file not present in upstream tarball: ${REMOVE_PATH}" >&2
+    exit 1
+fi
+rm -f "${EXTRACTED_DIRNAME}/${REMOVE_PATH}"
+
+echo "[5/5] Repacking deterministically"
+# Stable byte output requires: sorted names, fixed mtime, zeroed
+# owner/group, and single-threaded xz (xz -T0 block boundaries vary
+# by host CPU count).
+rm -f "${MODIFIED_NAME}"
+tar --sort=name \
+    --mtime='2024-01-01 00:00:00 UTC' \
+    --owner=0 --group=0 --numeric-owner \
+    -cf - "${EXTRACTED_DIRNAME}" | xz -T1 -9e > "${MODIFIED_NAME}"
+
+MODIFIED_SHA512=$(sha512sum "${MODIFIED_NAME}" | awk '{print $1}')
+echo "${MODIFIED_SHA512}  ${MODIFIED_NAME}" > "${MODIFIED_NAME}.sha512"
+
+cat <<EOF
+
+modified tarball: ${WORKDIR}/${MODIFIED_NAME}
+SHA512:           ${MODIFIED_SHA512}
+
+Upload (after \`az login\`):
+  az storage blob upload \\
+      --auth-mode login \\
+      --account-name azltempstaginglookaside \\
+      --container-name repo \\
+      --name "pkgs_modified/mozjs128/${ORIGINAL_NAME}/sha512/${MODIFIED_SHA512}/${ORIGINAL_NAME}" \\
+      --file "${WORKDIR}/${MODIFIED_NAME}"
+EOF
diff --git a/base/comps/mozjs128/mozjs128.comp.toml b/base/comps/mozjs128/mozjs128.comp.toml
new file mode 100644
index 00000000000..804f8323914
--- /dev/null
+++ b/base/comps/mozjs128/mozjs128.comp.toml
@@ -0,0 +1,9 @@
+[components.mozjs128]
+
+[[components.mozjs128.source-files]]
+filename = "firefox-128.11.0esr.source.tar.xz"
+hash = "39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d"
+hash-type = "SHA512"
+origin = { type = "download", uri = "https://azltempstaginglookaside.blob.core.windows.net/repo/pkgs_modified/mozjs128/firefox-128.11.0esr.source.tar.xz/sha512/39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d/firefox-128.11.0esr.source.tar.xz" }
+replace-upstream = true
+replace-reason = "Serve a locally-modified `firefox-128.11.0esr.source.tar.xz` with the single file `firefox-128.11.0/third_party/rust/zip/tests/data/aes_archive.zip` removed. That file is an AES-encrypted ZIP fixture from the upstream Rust `zip` crate's test suite that trips an automated package-signing pipeline scanner with a benign encrypted-archive verdict. The file is never read at AZL build time (mozjs128 only consumes `js/src/` from this tarball; the cargo-vendored `zip` crate's test corpus is not exercised). See modify_source.sh next to this file."
diff --git a/locks/mozjs128.lock b/locks/mozjs128.lock
index 55de1b16c7a..d68ff38c5f7 100644
--- a/locks/mozjs128.lock
+++ b/locks/mozjs128.lock
@@ -2,5 +2,5 @@
 version = 1
 import-commit = 'ae46ed8d38e0119a29e2e6b2f1acaf54e798b10c'
 upstream-commit = 'ae46ed8d38e0119a29e2e6b2f1acaf54e798b10c'
-input-fingerprint = 'sha256:f37549be8769342de5848352e6e475bfdaef8f105d336888b31c7aa901bf6a21'
+input-fingerprint = 'sha256:3882c9dba0ab29d178eaca9d775554b56c3f1f6b64352c71a8da12f46d031695'
 resolution-input-hash = 'sha256:466421704711c4fd3c71f0b2ed715a0e61d49e3e26f3a2637fee755795849c8e'
diff --git a/specs/m/mozjs128/mozjs128.spec b/specs/m/mozjs128/mozjs128.spec
index 112c4cfa8a6..06ce72b263a 100644
--- a/specs/m/mozjs128/mozjs128.spec
+++ b/specs/m/mozjs128/mozjs128.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.8.3)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 9;
+    release_number = 10;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -261,6 +261,9 @@ pushd js/src/
 
 %changelog
 ## START: Generated by rpmautospec
+* Mon May 18 2026 Pawel Winogrodzki <pawelwi@microsoft.com> - 128.11.0-10
+- mozjs128: drop scanner-flagged aes_archive.zip from Source0
+
 * Thu Apr 30 2026 Daniel McIlvaney <damcilva@microsoft.com> - 128.11.0-9
 - feat: introduce deterministic commit resolution via Azure Linux lock file
 
diff --git a/specs/m/mozjs128/sources b/specs/m/mozjs128/sources
index c6c5c9d7051..fbf64bc20b9 100644
--- a/specs/m/mozjs128/sources
+++ b/specs/m/mozjs128/sources
@@ -1 +1 @@
-SHA512 (firefox-128.11.0esr.source.tar.xz) = 80af64c1dce6d7a25111480567a3251cc2d1edce00acc4d85bbaa44590f5bbf4c0716f9490c3ab8ef1e6fc2bbabb2379029c2dee51ce477933c7a5935092d279
+SHA512 (firefox-128.11.0esr.source.tar.xz) = 39141838e0ead6918b267772486fbbfbacc0596b5baad279170d103d221550d58eb6a0cf5e811b59b7700eb492d743119412b4093dba09dab56a55ff4370db2d