The primary way supply chain issues in Java are addressed is the very simple way: You don't have a large supply chain.

You have one or two megalibraries that are like 20 years old and battle tested and haven't really changed in forever.

Then you have a couple specific libraries for your very specific problem.

Then, you pin those versions. You probably even run your own internal repo for artifacts so that you have full control over what code you pull in to your CI

But none of this actually prevents supply chain attacks. What it does is drastically lower their profitability and success.

Lets say you magically gain access to the Spring Boot framework's signing keys. You put out a malicious version that will drop persistent threats and backdoors everywhere it can and pulls out any credit card numbers or whatever it can find. The team behind Spring Boot takes like two weeks to figure it out, notify the breach, and take down the malicious code.

How many actual systems have even pulled that code in? Very few. Even a significant supply chain attack still requires significant luck to breach targets. In NPM land, this is not the case, and tons of things are pulling in the "latest" version of frameworks. You are much more likely to get someone to actually run your malicious code.