Let us have an NLFSR with the feedback function g(x) and an LFSR with the generating polynomial f (x). The function g(x) is a Boolean function on the state of the NLFSR and the LFSR, at any time instance t. Whenever the LFSR has good statistical properties, it is used for controlling the randomness of the NLFSR's state machine. In this paper we define and study the general class of "Grain" family of stream ciphers, where the keystream bits are generated by another Boolean function h(y) on the states of the NLFSR and the LFSR. We show that the cryptographic strength of this family is related to the general decoding problem, when a key-recovering attack is considered. A proper choice of the functions f (·), g(·) and h(·) could, potentially, give us a strong instance of a stream cipher. One of such stream ciphers Grain was recently proposed as a candidate for the European project ECRYPT in May, 2005. Grain uses the secret key of length 80 bits and its internal state is of size 160 bits. It was suggested as a fast and small primitive for efficient hardware implementation. In our work we propose the analysis of such structures in general, and, in particular, we give a linear distinguishing attack on Grain with time complexity O(2 54 ), when O(2 51 ) bits of the keystream is available. This is the first paper presenting an attack on Grain, and it reveals a leakage in the choice of the functions in this particular design instance.