The New York Times reported on Saturday that a hacking vulnerability known as EternalBlue has been exploited to blackmail Baltimore’s local government.
The NSA discovered the flaw, but the paper claims that its cyber-spies kept the discovery secret for years.
The NSA declined to comment.
But the report has particular resonance as the organisation is headquartered at Fort Meade, Maryland, which is a short drive from Baltimore.
“We don’t have anything for you on this,” an NSA spokesman told the BBC.
The EternalBlue flaw has been implicated in a range of cyber-attacks over the past three years, including the WannaCry assault that disrupted the UK’s NHS.
It involves a bug in old versions of Microsoft’s Windows operating system that allows other malicious code to be run on infected computers.
The NSA reportedly created a tool to do this, which it also called EternalBlue.
The New York Times said the agency did not disclose the problem to Microsoft for more than five years until a breach forced its hand.
Microsoft released a fix for EternalBlue flaw in March 2017.
Weeks later, a group calling itself the Shadow Brokers leaked the NSA’s related hacking tool online.
The NSA has never confirmed how it came to lose control of its code nor officially commented on the affair.
But the suggestion is that if it had shared its findings with Microsoft at an earlier stage, fewer PCs would have been exposed to subsequent attacks that made use of the vulnerability.