The prosperity of open-source software has spurred robust growth in the software industry and has also facilitated the formation of a supply chain development model based on open-source software. Essentially, the open-source software supply chain is a complex topology network, composed of key elements of the open-source ecosystem and their interrelations. Its globalized product advantages contribute to enhancing the development efficiency of the software industry. However, the open-source software supply chain also has characteristics such as intricate dependencies, widespread propagation, and an expanded attack surface, introducing new security risks. Although existing security management based on vulnerabilities and threat intelligence can achieve early warnings and proactive defense, the efficiency of vulnerability handling is severely affected due to delays in obtaining vulnerability threat information, and the lack of attack techniques and mitigation measures. Addressing these issues, a vulnerability threat intelligence sensing method for the open-source software supply chain is designed and implemented, which includes two parts: 1) Construction of the cyber threat intelligence (CTI) knowledge graph. In the process of constructing it, relevant technologies are utilized to achieve real-time analysis and processing of security intelligence. Particularly, the SecERNIE model and the software package naming matrix are introduced to address the challenges of vulnerability threat correlation mining and open-source software alias issues, respectively. 2) Vulnerability risk information push,based on the software package naming matrix, software package filtering rules are established to enable real-time filtering and pushing of vulnerabilities in open-source systems. This study validates the effectiveness and applicability of the proposed method through experiments. Results show that, compared to traditional vulnerability platforms like NVD, the proposed method advances the sensing time by an average of 90.03 days. The coverage rate of operating system software increases by 74.37%, and using the SecERNIE model, the relationships between 63492 CVE vulnerabilities and attack technique entities are mapped. Specifically, for the openEuler operating system, the traceable system software coverage rate reaches 92.76%, with 6239 security vulnerabilities detected. This study also identifies 891 vulnerability-attack correlations in openEuler, obtaining corresponding solutions that serve as a reference for vulnerability handling. Two typical attack scenarios in a real attack environment are verified, demonstrating the efficacy of the proposed method in vulnerability threat perception.