Abstract: With the widespread application of artificial intelligence (AI) technology, the software supply chain is facing more complex and diverse security threats. This article takes the cyber-attack incidents that DeepSeek has encountered since January 2025 as the entry point and conducts an in-depth analysis of the attack methods and potential risks in the software supply chain. Based on the ATT&CK framework, the paper analyzes the strategies, tactics, techniques, procedures, and geopolitical competition behind the attacks. To address these challenges, the article proposes comprehensive governance strategies at the enterprise, industry, and national levels. The article emphasizes that software supply chain security is a key to national security in the AI era. It is essential to strengthen the foundation of AI development and safeguard national digital sovereignty through integrated governance that combines technology, management, and ecosystem approaches.